Merge remote-tracking branch 'origin/main' into shell-process-group-timeout

core: replace Cloudflare 403 HTML with friendly message (#6252 )
### Motivation When Codex is launched from a region where Cloudflare blocks access (for example, Russia), the CLI currently dumps Cloudflare’s entire HTML error page. This isn’t actionable and makes it hard for users to understand what happened. We want to detect the Cloudflare block and show a concise, user-friendly explanation instead. ### What Changed - Added CLOUDFLARE_BLOCKED_MESSAGE and a friendly_message() helper to UnexpectedResponseError. Whenever we see a 403 whose body contains the Cloudflare block notice, we now emit a single-line message (Access blocked by Cloudflare…) while preserving the HTTP status and request id. All other responses keep the original behaviour. - Added two focused unit tests: - unexpected_status_cloudflare_html_is_simplified ensures the Cloudflare HTML case yields the friendly message. - unexpected_status_non_html_is_unchanged confirms plain-text 403s still return the raw body. ### Testing - cargo build -p codex-cli - cargo test -p codex-core - just fix -p codex-core - cargo test --all-features --------- Co-authored-by: Eric Traut <etraut@openai.com>
2026-02-02 15:03:38 +00:00 · 2025-11-07 16:38:49 -08:00 · 2025-11-07 15:55:16 -08:00 · 2025-11-07 15:54:07 -08:00 · 2025-11-07 23:52:20 +00:00 · 2025-11-07 14:49:17 -08:00
223 changed files with 16171 additions and 5316 deletions
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -4,3 +4,5 @@ Before opening this Pull Request, please read the dedicated "Contributing" markd
 https://github.com/openai/codex/blob/main/docs/contributing.md

 If your PR conforms to our contribution guidelines, replace this text with a detailed and high quality description of your changes.
+
+Include a link to a bug report or enhancement request.
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,7 +46,7 @@ jobs:
          echo "pack_output=$PACK_OUTPUT" >> "$GITHUB_OUTPUT"

      - name: Upload staged npm package artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: codex-npm-staging
          path: ${{ steps.stage_npm_package.outputs.pack_output }}
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -16,7 +16,7 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

      - name: Prepare Codex inputs
        env:
@@ -87,7 +87,7 @@ jobs:
      issues: write
    steps:
      - name: Comment on issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
        env:
          CODEX_OUTPUT: ${{ needs.gather-duplicates.outputs.codex_output }}
        with:
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -16,7 +16,7 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

      - id: codex
        uses: openai/codex-action@main
@@ -26,21 +26,36 @@ jobs:
          prompt: |
            You are an assistant that reviews GitHub issues for the repository.

-            Your job is to choose the most appropriate existing labels for the issue described later in this prompt.
+            Your job is to choose the most appropriate labels for the issue described later in this prompt.
            Follow these rules:
-            - Only pick labels out of the list below.
-            - Prefer a small set of precise labels over many broad ones.

-            Labels to apply:
+            - Add one (and only one) of the following three labels to distinguish the type of issue. Default to "bug" if unsure.
            1. bug — Reproducible defects in Codex products (CLI, VS Code extension, web, auth).
            2. enhancement — Feature requests or usability improvements that ask for new capabilities, better ergonomics, or quality-of-life tweaks.
-            3. extension — VS Code (or other IDE) extension-specific issues.
-            4. windows-os — Bugs or friction specific to Windows environments (always when PowerShell is mentioned, path handling, copy/paste, OS-specific auth or tooling failures).
-            5. mcp — Topics involving Model Context Protocol servers/clients.
-            6. codex-web — Issues targeting the Codex web UI/Cloud experience.
-            8. azure — Problems or requests tied to Azure OpenAI deployments.
-            9. documentation — Updates or corrections needed in docs/README/config references (broken links, missing examples, outdated keys, clarification requests).
-            10. model-behavior — Undesirable LLM behavior: forgetting goals, refusing work, hallucinating environment details, quota misreports, or other reasoning/performance anomalies.
+            3. documentation — Updates or corrections needed in docs/README/config references (broken links, missing examples, outdated keys, clarification requests).
+
+            - If applicable, add one of the following labels to specify which sub-product or product surface the issue relates to.
+            1. CLI — the Codex command line interface.
+            2. extension — VS Code (or other IDE) extension-specific issues.
+            3. codex-web — Issues targeting the Codex web UI/Cloud experience.
+            4. github-action — Issues with the Codex GitHub action.
+            5. iOS — Issues with the Codex iOS app.
+
+            - Additionally add zero or more of the following labels that are relevant to the issue content. Prefer a small set of precise labels over many broad ones.
+            1. windows-os — Bugs or friction specific to Windows environments (always when PowerShell is mentioned, path handling, copy/paste, OS-specific auth or tooling failures).
+            2. mcp — Topics involving Model Context Protocol servers/clients.
+            3. mcp-server — Problems related to the codex mcp-server command, where codex runs as an MCP server.
+            4. azure — Problems or requests tied to Azure OpenAI deployments.
+            5. model-behavior — Undesirable LLM behavior: forgetting goals, refusing work, hallucinating environment details, quota misreports, or other reasoning/performance anomalies.
+            6. code-review — Issues related to the code review feature or functionality.
+            7. auth - Problems related to authentication, login, or access tokens.
+            8. codex-exec - Problems related to the "codex exec" command or functionality.
+            9. context-management - Problems related to compaction, context windows, or available context reporting.
+            10. custom-model - Problems that involve using custom model providers, local models, or OSS models.
+            11. rate-limits - Problems related to token limits, rate limits, or token usage reporting.
+            12. sandbox - Issues related to local sandbox environments or tool call approvals to override sandbox restrictions.
+            13. tool-calls - Problems related to specific tool call invocations including unexpected errors, failures, or hangs.
+            14. TUI - Problems with the terminal user interface (TUI) including keyboard shortcuts, copy & pasting, menus, or screen update issues.

            Issue number: ${{ github.event.issue.number }}

--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -350,7 +350,7 @@ jobs:
            fi
          fi

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
        with:
          name: ${{ matrix.target }}
          # Upload the per-binary .zst files as well as the new .tar.gz
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -84,6 +84,7 @@ If you don’t have the tool:
 - Use `ResponseMock::single_request()` when a test should only issue one POST, or `ResponseMock::requests()` to inspect every captured `ResponsesRequest`.
 - `ResponsesRequest` exposes helpers (`body_json`, `input`, `function_call_output`, `custom_tool_call_output`, `call_output`, `header`, `path`, `query_param`) so assertions can target structured payloads instead of manual JSON digging.
 - Build SSE payloads with the provided `ev_*` constructors and the `sse(...)`.
+- Prefer `wait_for_event` over `wait_for_event_with_timeout`.

 - Typical pattern:

--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ Then simply run `codex` to get started:
 codex
 ```

-If you're running into upgrade issues with Homebrew, see the [FAQ entry on brew upgrade codex](./docs/faq.md#brew-update-codex-isnt-upgrading-me).
+If you're running into upgrade issues with Homebrew, see the [FAQ entry on brew upgrade codex](./docs/faq.md#brew-upgrade-codex-isnt-upgrading-me).

 <details>
 <summary>You can also go to the <a href="https://github.com/openai/codex/releases/latest">latest GitHub Release</a> and download the appropriate binary for your platform.</summary>
@@ -75,11 +75,13 @@ Codex CLI supports a rich set of configuration options, with preferences stored

 - [**Getting started**](./docs/getting-started.md)
  - [CLI usage](./docs/getting-started.md#cli-usage)
+  - [Slash Commands](./docs/slash_commands.md)
  - [Running with a prompt as input](./docs/getting-started.md#running-with-a-prompt-as-input)
  - [Example prompts](./docs/getting-started.md#example-prompts)
  - [Custom prompts](./docs/prompts.md)
  - [Memory with AGENTS.md](./docs/getting-started.md#memory-with-agentsmd)
-  - [Configuration](./docs/config.md)
+- [**Configuration**](./docs/config.md)
+  - [Example config](./docs/example-config.md)
 - [**Sandbox & approvals**](./docs/sandbox.md)
 - [**Authentication**](./docs/authentication.md)
  - [Auth methods](./docs/authentication.md#forcing-a-specific-auth-method-advanced)
--- a/codex-rs/.cargo/config.toml
+++ b/codex-rs/.cargo/config.toml
@@ -0,0 +1,5 @@
+[target.'cfg(all(windows, target_env = "msvc"))']
+rustflags = ["-C", "link-arg=/STACK:8388608"]
+
+[target.'cfg(all(windows, target_env = "gnu"))']
+rustflags = ["-C", "link-arg=-Wl,--stack,8388608"]
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -172,9 +172,9 @@ dependencies = [

 [[package]]
 name = "anyhow"
-version = "1.0.99"
+version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0674a1ddeecb70197781e945de4b3b8ffb61fa939a5597bcf48503737663100"
+checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"

 [[package]]
 name = "app_test_support"
@@ -186,9 +186,11 @@ dependencies = [
 "chrono",
 "codex-app-server-protocol",
 "codex-core",
+ "codex-protocol",
 "serde",
 "serde_json",
 "tokio",
+ "uuid",
 "wiremock",
 ]

@@ -871,6 +873,7 @@ dependencies = [
 "anyhow",
 "clap",
 "codex-protocol",
+ "mcp-types",
 "paste",
 "pretty_assertions",
 "schemars 0.8.22",
@@ -891,7 +894,7 @@ dependencies = [
 "pretty_assertions",
 "similar",
 "tempfile",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tree-sitter",
 "tree-sitter-bash",
 ]
@@ -983,6 +986,7 @@ dependencies = [
 "codex-rmcp-client",
 "codex-stdio-to-uds",
 "codex-tui",
+ "codex-windows-sandbox",
 "ctor 0.5.0",
 "owo-colors",
 "predicates",
@@ -991,6 +995,7 @@ dependencies = [
 "supports-color",
 "tempfile",
 "tokio",
+ "toml",
 ]

 [[package]]
@@ -1031,7 +1036,7 @@ dependencies = [
 "diffy",
 "serde",
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -1072,6 +1077,7 @@ dependencies = [
 "codex-utils-readiness",
 "codex-utils-string",
 "codex-utils-tokenizer",
+ "codex-windows-sandbox",
 "core-foundation 0.9.4",
 "core_test_support",
 "dirs",
@@ -1082,7 +1088,7 @@ dependencies = [
 "futures",
 "http",
 "image",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "keyring",
 "landlock",
 "libc",
@@ -1106,7 +1112,7 @@ dependencies = [
 "strum_macros 0.27.2",
 "tempfile",
 "test-log",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "time",
 "tokio",
 "tokio-test",
@@ -1212,7 +1218,7 @@ dependencies = [
 "schemars 0.8.22",
 "serde",
 "tempfile",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "ts-rs",
 "walkdir",
 ]
@@ -1446,8 +1452,10 @@ dependencies = [
 "codex-login",
 "codex-ollama",
 "codex-protocol",
+ "codex-windows-sandbox",
 "color-eyre",
 "crossterm",
+ "derive_more 2.0.1",
 "diffy",
 "dirs",
 "dunce",
@@ -1467,6 +1475,7 @@ dependencies = [
 "regex-lite",
 "serde",
 "serde_json",
+ "serial_test",
 "shlex",
 "strum 0.27.2",
 "strum_macros 0.27.2",
@@ -1504,7 +1513,7 @@ dependencies = [
 "codex-utils-cache",
 "image",
 "tempfile",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 ]

@@ -1532,7 +1541,7 @@ version = "0.0.0"
 dependencies = [
 "assert_matches",
 "async-trait",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "time",
 "tokio",
 ]
@@ -1547,10 +1556,22 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "pretty_assertions",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tiktoken-rs",
 ]

+[[package]]
+name = "codex-windows-sandbox"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "dirs-next",
+ "rand 0.8.5",
+ "serde",
+ "serde_json",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "color-eyre"
 version = "0.6.5"
@@ -1638,6 +1659,15 @@ dependencies = [
 "unicode-segmentation",
 ]

+[[package]]
+name = "convert_case"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb402b8d4c85569410425650ce3eddc7d698ed96d39a73f941b08fb63082f1e7"
+dependencies = [
+ "unicode-segmentation",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.9.4"
@@ -1736,8 +1766,7 @@ checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
 [[package]]
 name = "crossterm"
 version = "0.28.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "829d955a0bb380ef178a640b91779e3987da38c9aea133b20614cfed8cdea9c6"
+source = "git+https://github.com/nornagon/crossterm?branch=nornagon%2Fcolor-query#87db8bfa6dc99427fd3b071681b07fc31c6ce995"
 dependencies = [
 "bitflags 2.10.0",
 "crossterm_winapi",
@@ -1984,7 +2013,7 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cb7330aeadfbe296029522e6c40f315320aba36fc43a5b3632f3795348f3bd22"
 dependencies = [
- "convert_case",
+ "convert_case 0.6.0",
 "proc-macro2",
 "quote",
 "syn 2.0.104",
@@ -1997,6 +2026,7 @@ version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bda628edc44c4bb645fbe0f758797143e4e07926f7ebf4e9bdfbd3d2ce621df3"
 dependencies = [
+ "convert_case 0.7.1",
 "proc-macro2",
 "quote",
 "syn 2.0.104",
@@ -2708,7 +2738,7 @@ dependencies = [
 "futures-core",
 "futures-sink",
 "http",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "slab",
 "tokio",
 "tokio-util",
@@ -2752,6 +2782,12 @@ dependencies = [
 "foldhash",
 ]

+[[package]]
+name = "hashbrown"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d"
+
 [[package]]
 name = "heck"
 version = "0.5.0"
@@ -3187,13 +3223,14 @@ dependencies = [

 [[package]]
 name = "indexmap"
-version = "2.10.0"
+version = "2.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe4cd85333e22411419a0bcae1297d25e58c9443848b11dc6a86fefe8c78a661"
+checksum = "6717a8d2a5a929a1a2eb43a12812498ed141a0bcfb7e8f7844fbdbe4303bba9f"
 dependencies = [
 "equivalent",
- "hashbrown 0.15.4",
+ "hashbrown 0.16.0",
 "serde",
+ "serde_core",
 ]

 [[package]]
@@ -3481,7 +3518,7 @@ checksum = "b3d2ef408b88e913bfc6594f5e693d57676f6463ded7d8bf994175364320c706"
 dependencies = [
 "enumflags2",
 "libc",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -4161,7 +4198,7 @@ dependencies = [
 "futures-sink",
 "js-sys",
 "pin-project-lite",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tracing",
 ]

@@ -4204,7 +4241,7 @@ dependencies = [
 "prost",
 "reqwest",
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tonic",
 "tracing",
@@ -4244,7 +4281,7 @@ dependencies = [
 "percent-encoding",
 "rand 0.9.2",
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tokio-stream",
 ]
@@ -4355,7 +4392,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
 dependencies = [
 "fixedbitset",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 ]

 [[package]]
@@ -4423,7 +4460,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3af6b589e163c5a788fab00ce0c0366f6efbb9959c2f9874b224936af7fce7e1"
 dependencies = [
 "base64",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "quick-xml",
 "serde",
 "time",
@@ -4589,7 +4626,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a3ef4f2f0422f23a82ec9f628ea2acd12871c81a9362b02c43c1aa86acfc3ba1"
 dependencies = [
 "futures",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "nix 0.30.1",
 "tokio",
 "tracing",
@@ -4676,7 +4713,7 @@ dependencies = [
 "rustc-hash 2.1.1",
 "rustls",
 "socket2 0.6.0",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tracing",
 "web-time",
@@ -4697,7 +4734,7 @@ dependencies = [
 "rustls",
 "rustls-pki-types",
 "slab",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tinyvec",
 "tracing",
 "web-time",
@@ -4858,7 +4895,7 @@ checksum = "dd6f9d3d47bdd2ad6945c5015a226ec6155d0bcdfd8f7cd29f86b71f8de99d2b"
 dependencies = [
 "getrandom 0.2.16",
 "libredox",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -4987,9 +5024,9 @@ dependencies = [

 [[package]]
 name = "rmcp"
-version = "0.8.3"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fdad1258f7259fdc0f2dfc266939c82c3b5d1fd72bcde274d600cdc27e60243"
+checksum = "e5947688160b56fb6c827e3c20a72c90392a1d7e9dec74749197aa1780ac42ca"
 dependencies = [
 "base64",
 "bytes",
@@ -5009,7 +5046,7 @@ dependencies = [
 "serde",
 "serde_json",
 "sse-stream",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tokio-stream",
 "tokio-util",
@@ -5021,9 +5058,9 @@ dependencies = [

 [[package]]
 name = "rmcp-macros"
-version = "0.8.3"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ede0589a208cc7ce81d1be68aa7e74b917fcd03c81528408bab0457e187dcd9b"
+checksum = "01263441d3f8635c628e33856c468b96ebbce1af2d3699ea712ca71432d4ee7a"
 dependencies = [
 "darling 0.21.3",
 "proc-macro2",
@@ -5534,7 +5571,7 @@ version = "1.0.145"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
 dependencies = [
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "itoa",
 "memchr",
 "ryu",
@@ -5595,7 +5632,7 @@ dependencies = [
 "chrono",
 "hex",
 "indexmap 1.9.3",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "schemars 0.9.0",
 "schemars 1.0.4",
 "serde",
@@ -5664,6 +5701,12 @@ dependencies = [
 "digest",
 ]

+[[package]]
+name = "sha1_smol"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbfa15b3dddfee50a0fff136974b3e1bde555604ba463834a7eb7deb6417705d"
+
 [[package]]
 name = "sha2"
 version = "0.10.9"
@@ -6172,11 +6215,11 @@ dependencies = [

 [[package]]
 name = "thiserror"
-version = "2.0.16"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3467d614147380f2e4e374161426ff399c91084acd2363eaf549172b3d5e60c0"
+checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
 dependencies = [
- "thiserror-impl 2.0.16",
+ "thiserror-impl 2.0.17",
 ]

 [[package]]
@@ -6192,9 +6235,9 @@ dependencies = [

 [[package]]
 name = "thiserror-impl"
-version = "2.0.16"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960"
+checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -6413,7 +6456,7 @@ version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "75129e1dc5000bfbaa9fee9d1b21f974f9fbad9daec557a521ee6e080825f6e8"
 dependencies = [
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "serde",
 "serde_spanned",
 "toml_datetime",
@@ -6437,7 +6480,7 @@ version = "0.23.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7211ff1b8f0d3adae1663b7da9ffe396eabe1ca25f0b0bee42b0da29a9ddce93"
 dependencies = [
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "toml_datetime",
 "toml_parser",
 "toml_writer",
@@ -6496,7 +6539,7 @@ checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
 dependencies = [
 "futures-core",
 "futures-util",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "pin-project-lite",
 "slab",
 "sync_wrapper",
@@ -6674,7 +6717,7 @@ checksum = "adc5f880ad8d8f94e88cb81c3557024cf1a8b75e3b504c50481ed4f5a6006ff3"
 dependencies = [
 "regex",
 "streaming-iterator",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tree-sitter",
 ]

@@ -6697,7 +6740,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6ef1b7a6d914a34127ed8e1fa927eb7088903787bcded4fa3eef8f85ee1568be"
 dependencies = [
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "ts-rs-macros",
 "uuid",
 ]
@@ -6851,6 +6894,7 @@ dependencies = [
 "getrandom 0.3.3",
 "js-sys",
 "serde",
+ "sha1_smol",
 "wasm-bindgen",
 ]

--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -87,6 +87,7 @@ codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-string = { path = "utils/string" }
 codex-utils-tokenizer = { path = "utils/tokenizer" }
+codex-windows-sandbox = { path = "windows-sandbox-rs" }
 core_test_support = { path = "core/tests/common" }
 mcp-types = { path = "mcp-types" }
 mcp_test_support = { path = "mcp-server/tests/common" }
@@ -127,7 +128,7 @@ icu_provider = { version = "2.1", features = ["sync"] }
 icu_locale_core = "2.1"
 ignore = "0.4.23"
 image = { version = "^0.25.8", default-features = false }
-indexmap = "2.6.0"
+indexmap = "2.12.0"
 insta = "1.43.2"
 itertools = "0.14.0"
 keyring = "3.6"
@@ -161,7 +162,7 @@ ratatui = "0.29.0"
 ratatui-macros = "0.6.0"
 regex-lite = "0.1.7"
 reqwest = "0.12"
-rmcp = { version = "0.8.3", default-features = false }
+rmcp = { version = "0.8.5", default-features = false }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
 sentry = "0.34.0"
@@ -181,7 +182,7 @@ sys-locale = "0.3.2"
 tempfile = "3.23.0"
 test-log = "0.2.18"
 textwrap = "0.16.2"
-thiserror = "2.0.16"
+thiserror = "2.0.17"
 time = "0.3"
 tiny_http = "0.12"
 tokio = "1"
@@ -210,6 +211,7 @@ walkdir = "2.5.0"
 webbrowser = "1.0"
 which = "6"
 wildmatch = "2.5.0"
+
 wiremock = "0.6"
 zeroize = "1.8.1"

@@ -254,7 +256,12 @@ unwrap_used = "deny"
 # cargo-shear cannot see the platform-specific openssl-sys usage, so we
 # silence the false positive here instead of deleting a real dependency.
 [workspace.metadata.cargo-shear]
-ignored = ["icu_provider", "openssl-sys", "codex-utils-readiness", "codex-utils-tokenizer"]
+ignored = [
+    "icu_provider",
+    "openssl-sys",
+    "codex-utils-readiness",
+    "codex-utils-tokenizer",
+]

 [profile.release]
 lto = "fat"
@@ -274,6 +281,7 @@ opt-level = 0
 # Uncomment to debug local changes.
 # ratatui = { path = "../../ratatui" }
 ratatui = { git = "https://github.com/nornagon/ratatui", branch = "nornagon-v0.29.0-patch" }
+crossterm = { git = "https://github.com/nornagon/crossterm", branch = "nornagon/color-query" }

 # Uncomment to debug local changes.
 # rmcp = { path = "../../rust-sdk/crates/rmcp" }
--- a/codex-rs/README.md
+++ b/codex-rs/README.md
@@ -63,6 +63,9 @@ codex sandbox macos [--full-auto] [COMMAND]...
 # Linux
 codex sandbox linux [--full-auto] [COMMAND]...

+# Windows
+codex sandbox windows [--full-auto] [COMMAND]...
+
 # Legacy aliases
 codex debug seatbelt [--full-auto] [COMMAND]...
 codex debug landlock [--full-auto] [COMMAND]...
--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -14,6 +14,7 @@ workspace = true
 anyhow = { workspace = true }
 clap = { workspace = true, features = ["derive"] }
 codex-protocol = { workspace = true }
+mcp-types = { workspace = true }
 paste = { workspace = true }
 schemars = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
--- a/codex-rs/app-server-protocol/src/export.rs
+++ b/codex-rs/app-server-protocol/src/export.rs
@@ -2,20 +2,27 @@ use crate::ClientNotification;
 use crate::ClientRequest;
 use crate::ServerNotification;
 use crate::ServerRequest;
+use crate::export_client_notification_schemas;
+use crate::export_client_param_schemas;
 use crate::export_client_response_schemas;
 use crate::export_client_responses;
+use crate::export_server_notification_schemas;
+use crate::export_server_param_schemas;
 use crate::export_server_response_schemas;
 use crate::export_server_responses;
 use anyhow::Context;
 use anyhow::Result;
 use anyhow::anyhow;
+use codex_protocol::parse_command::ParsedCommand;
+use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::FileChange;
+use codex_protocol::protocol::SandboxPolicy;
 use schemars::JsonSchema;
-use schemars::schema::RootSchema;
 use schemars::schema_for;
 use serde::Serialize;
 use serde_json::Map;
 use serde_json::Value;
-use std::collections::BTreeMap;
+use std::collections::HashMap;
 use std::collections::HashSet;
 use std::ffi::OsStr;
 use std::fs;
@@ -28,83 +35,29 @@ use ts_rs::TS;

 const HEADER: &str = "// GENERATED CODE! DO NOT MODIFY BY HAND!\n\n";

-macro_rules! for_each_schema_type {
-    ($macro:ident) => {
-        $macro!(crate::RequestId);
-        $macro!(crate::JSONRPCMessage);
-        $macro!(crate::JSONRPCRequest);
-        $macro!(crate::JSONRPCNotification);
-        $macro!(crate::JSONRPCResponse);
-        $macro!(crate::JSONRPCError);
-        $macro!(crate::JSONRPCErrorError);
-        $macro!(crate::AddConversationListenerParams);
-        $macro!(crate::AddConversationSubscriptionResponse);
-        $macro!(crate::ApplyPatchApprovalParams);
-        $macro!(crate::ApplyPatchApprovalResponse);
-        $macro!(crate::ArchiveConversationParams);
-        $macro!(crate::ArchiveConversationResponse);
-        $macro!(crate::AuthMode);
-        $macro!(crate::AuthStatusChangeNotification);
-        $macro!(crate::CancelLoginChatGptParams);
-        $macro!(crate::CancelLoginChatGptResponse);
-        $macro!(crate::ClientInfo);
-        $macro!(crate::ClientNotification);
-        $macro!(crate::ClientRequest);
-        $macro!(crate::ConversationSummary);
-        $macro!(crate::ExecCommandApprovalParams);
-        $macro!(crate::ExecCommandApprovalResponse);
-        $macro!(crate::ExecOneOffCommandParams);
-        $macro!(crate::ExecOneOffCommandResponse);
-        $macro!(crate::FuzzyFileSearchParams);
-        $macro!(crate::FuzzyFileSearchResponse);
-        $macro!(crate::FuzzyFileSearchResult);
-        $macro!(crate::GetAuthStatusParams);
-        $macro!(crate::GetAuthStatusResponse);
-        $macro!(crate::GetUserAgentResponse);
-        $macro!(crate::GetUserSavedConfigResponse);
-        $macro!(crate::GitDiffToRemoteParams);
-        $macro!(crate::GitDiffToRemoteResponse);
-        $macro!(crate::GitSha);
-        $macro!(crate::InitializeParams);
-        $macro!(crate::InitializeResponse);
-        $macro!(crate::InputItem);
-        $macro!(crate::InterruptConversationParams);
-        $macro!(crate::InterruptConversationResponse);
-        $macro!(crate::ListConversationsParams);
-        $macro!(crate::ListConversationsResponse);
-        $macro!(crate::LoginApiKeyParams);
-        $macro!(crate::LoginApiKeyResponse);
-        $macro!(crate::LoginChatGptCompleteNotification);
-        $macro!(crate::LoginChatGptResponse);
-        $macro!(crate::LogoutChatGptParams);
-        $macro!(crate::LogoutChatGptResponse);
-        $macro!(crate::NewConversationParams);
-        $macro!(crate::NewConversationResponse);
-        $macro!(crate::Profile);
-        $macro!(crate::RemoveConversationListenerParams);
-        $macro!(crate::RemoveConversationSubscriptionResponse);
-        $macro!(crate::ResumeConversationParams);
-        $macro!(crate::ResumeConversationResponse);
-        $macro!(crate::SandboxSettings);
-        $macro!(crate::SendUserMessageParams);
-        $macro!(crate::SendUserMessageResponse);
-        $macro!(crate::SendUserTurnParams);
-        $macro!(crate::SendUserTurnResponse);
-        $macro!(crate::ServerNotification);
-        $macro!(crate::ServerRequest);
-        $macro!(crate::SessionConfiguredNotification);
-        $macro!(crate::SetDefaultModelParams);
-        $macro!(crate::SetDefaultModelResponse);
-        $macro!(crate::Tools);
-        $macro!(crate::UserInfoResponse);
-        $macro!(crate::UserSavedConfig);
-        $macro!(codex_protocol::protocol::EventMsg);
-        $macro!(codex_protocol::protocol::FileChange);
-        $macro!(codex_protocol::parse_command::ParsedCommand);
-        $macro!(codex_protocol::protocol::SandboxPolicy);
-    };
+#[derive(Clone)]
+pub struct GeneratedSchema {
+    namespace: Option<String>,
+    logical_name: String,
+    value: Value,
+    in_v1_dir: bool,
 }

+impl GeneratedSchema {
+    fn namespace(&self) -> Option<&str> {
+        self.namespace.as_deref()
+    }
+
+    fn logical_name(&self) -> &str {
+        &self.logical_name
+    }
+
+    fn value(&self) -> &Value {
+        &self.value
+    }
+}
+
+type JsonSchemaEmitter = fn(&Path) -> Result<GeneratedSchema>;
 pub fn generate_types(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
    generate_ts(out_dir, prettier)?;
    generate_json(out_dir)?;
@@ -112,7 +65,9 @@ pub fn generate_types(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
 }

 pub fn generate_ts(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
+    let v2_out_dir = out_dir.join("v2");
    ensure_dir(out_dir)?;
+    ensure_dir(&v2_out_dir)?;

    ClientRequest::export_all_to(out_dir)?;
    export_client_responses(out_dir)?;
@@ -123,12 +78,15 @@ pub fn generate_ts(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
    ServerNotification::export_all_to(out_dir)?;

    generate_index_ts(out_dir)?;
+    generate_index_ts(&v2_out_dir)?;

-    let ts_files = ts_files_in(out_dir)?;
+    // Ensure our header is present on all TS files (root + subdirs like v2/).
+    let ts_files = ts_files_in_recursive(out_dir)?;
    for file in &ts_files {
        prepend_header_if_missing(file)?;
    }

+    // Optionally run Prettier on all generated TS files.
    if let Some(prettier_bin) = prettier
        && !ts_files.is_empty()
    {
@@ -147,23 +105,47 @@ pub fn generate_ts(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {

 pub fn generate_json(out_dir: &Path) -> Result<()> {
    ensure_dir(out_dir)?;
-    let mut bundle: BTreeMap<String, RootSchema> = BTreeMap::new();
+    let envelope_emitters: &[JsonSchemaEmitter] = &[
+        |d| write_json_schema_with_return::<crate::RequestId>(d, "RequestId"),
+        |d| write_json_schema_with_return::<crate::JSONRPCMessage>(d, "JSONRPCMessage"),
+        |d| write_json_schema_with_return::<crate::JSONRPCRequest>(d, "JSONRPCRequest"),
+        |d| write_json_schema_with_return::<crate::JSONRPCNotification>(d, "JSONRPCNotification"),
+        |d| write_json_schema_with_return::<crate::JSONRPCResponse>(d, "JSONRPCResponse"),
+        |d| write_json_schema_with_return::<crate::JSONRPCError>(d, "JSONRPCError"),
+        |d| write_json_schema_with_return::<crate::JSONRPCErrorError>(d, "JSONRPCErrorError"),
+        |d| write_json_schema_with_return::<crate::ClientRequest>(d, "ClientRequest"),
+        |d| write_json_schema_with_return::<crate::ServerRequest>(d, "ServerRequest"),
+        |d| write_json_schema_with_return::<crate::ClientNotification>(d, "ClientNotification"),
+        |d| write_json_schema_with_return::<crate::ServerNotification>(d, "ServerNotification"),
+        |d| write_json_schema_with_return::<EventMsg>(d, "EventMsg"),
+        |d| write_json_schema_with_return::<FileChange>(d, "FileChange"),
+        |d| write_json_schema_with_return::<crate::protocol::v1::InputItem>(d, "InputItem"),
+        |d| write_json_schema_with_return::<ParsedCommand>(d, "ParsedCommand"),
+        |d| write_json_schema_with_return::<SandboxPolicy>(d, "SandboxPolicy"),
+    ];

-    macro_rules! add_schema {
-        ($ty:path) => {{
-            let name = type_basename(stringify!($ty));
-            let schema = write_json_schema_with_return::<$ty>(out_dir, &name)?;
-            bundle.insert(name, schema);
-        }};
+    let mut schemas: Vec<GeneratedSchema> = Vec::new();
+    for emit in envelope_emitters {
+        schemas.push(emit(out_dir)?);
    }

-    for_each_schema_type!(add_schema);
+    schemas.extend(export_client_param_schemas(out_dir)?);
+    schemas.extend(export_client_response_schemas(out_dir)?);
+    schemas.extend(export_server_param_schemas(out_dir)?);
+    schemas.extend(export_server_response_schemas(out_dir)?);
+    schemas.extend(export_client_notification_schemas(out_dir)?);
+    schemas.extend(export_server_notification_schemas(out_dir)?);

-    export_client_response_schemas(out_dir)?;
-    export_server_response_schemas(out_dir)?;
+    let bundle = build_schema_bundle(schemas)?;
+    write_pretty_json(
+        out_dir.join("codex_app_server_protocol.schemas.json"),
+        &bundle,
+    )?;

-    let mut definitions = Map::new();
+    Ok(())
+}

+fn build_schema_bundle(schemas: Vec<GeneratedSchema>) -> Result<Value> {
    const SPECIAL_DEFINITIONS: &[&str] = &[
        "ClientNotification",
        "ClientRequest",
@@ -176,22 +158,62 @@ pub fn generate_json(out_dir: &Path) -> Result<()> {
        "ServerRequest",
    ];

-    for (name, schema) in bundle {
-        let mut schema_value = serde_json::to_value(schema)?;
-        annotate_schema(&mut schema_value, Some(name.as_str()));
+    let namespaced_types = collect_namespaced_types(&schemas);
+    let mut definitions = Map::new();

-        if let Value::Object(ref mut obj) = schema_value
+    for schema in schemas {
+        let GeneratedSchema {
+            namespace,
+            logical_name,
+            mut value,
+            in_v1_dir,
+        } = schema;
+
+        if let Some(ref ns) = namespace {
+            rewrite_refs_to_namespace(&mut value, ns);
+        }
+
+        let mut forced_namespace_refs: Vec<(String, String)> = Vec::new();
+        if let Value::Object(ref mut obj) = value
            && let Some(defs) = obj.remove("definitions")
            && let Value::Object(defs_obj) = defs
        {
            for (def_name, mut def_schema) in defs_obj {
-                if !SPECIAL_DEFINITIONS.contains(&def_name.as_str()) {
-                    annotate_schema(&mut def_schema, Some(def_name.as_str()));
+                if SPECIAL_DEFINITIONS.contains(&def_name.as_str()) {
+                    continue;
+                }
+                annotate_schema(&mut def_schema, Some(def_name.as_str()));
+                let target_namespace = match namespace {
+                    Some(ref ns) => Some(ns.clone()),
+                    None => namespace_for_definition(&def_name, &namespaced_types)
+                        .cloned()
+                        .filter(|_| !in_v1_dir),
+                };
+                if let Some(ref ns) = target_namespace {
+                    if namespace.as_deref() == Some(ns.as_str()) {
+                        rewrite_refs_to_namespace(&mut def_schema, ns);
+                        insert_into_namespace(&mut definitions, ns, def_name.clone(), def_schema)?;
+                    } else if !forced_namespace_refs
+                        .iter()
+                        .any(|(name, existing_ns)| name == &def_name && existing_ns == ns)
+                    {
+                        forced_namespace_refs.push((def_name.clone(), ns.clone()));
+                    }
+                } else {
                    definitions.insert(def_name, def_schema);
                }
            }
        }
-        definitions.insert(name, schema_value);
+
+        for (name, ns) in forced_namespace_refs {
+            rewrite_named_ref_to_namespace(&mut value, &ns, &name);
+        }
+
+        if let Some(ref ns) = namespace {
+            insert_into_namespace(&mut definitions, ns, logical_name.clone(), value)?;
+        } else {
+            definitions.insert(logical_name, value);
+        }
    }

    let mut root = Map::new();
@@ -206,15 +228,28 @@ pub fn generate_json(out_dir: &Path) -> Result<()> {
    root.insert("type".to_string(), Value::String("object".into()));
    root.insert("definitions".to_string(), Value::Object(definitions));

-    write_pretty_json(
-        out_dir.join("codex_app_server_protocol.schemas.json"),
-        &Value::Object(root),
-    )?;
-
-    Ok(())
+    Ok(Value::Object(root))
 }

-fn write_json_schema_with_return<T>(out_dir: &Path, name: &str) -> Result<RootSchema>
+fn insert_into_namespace(
+    definitions: &mut Map<String, Value>,
+    namespace: &str,
+    name: String,
+    schema: Value,
+) -> Result<()> {
+    let entry = definitions
+        .entry(namespace.to_string())
+        .or_insert_with(|| Value::Object(Map::new()));
+    match entry {
+        Value::Object(map) => {
+            map.insert(name, schema);
+            Ok(())
+        }
+        _ => Err(anyhow!("expected namespace {namespace} to be an object")),
+    }
+}
+
+fn write_json_schema_with_return<T>(out_dir: &Path, name: &str) -> Result<GeneratedSchema>
 where
    T: JsonSchema,
 {
@@ -222,17 +257,37 @@ where
    let schema = schema_for!(T);
    let mut schema_value = serde_json::to_value(schema)?;
    annotate_schema(&mut schema_value, Some(file_stem));
-    write_pretty_json(out_dir.join(format!("{file_stem}.json")), &schema_value)
+    // If the name looks like a namespaced path (e.g., "v2::Type"), mirror
+    // the TypeScript layout and write to out_dir/v2/Type.json. Otherwise
+    // write alongside the legacy files.
+    let (raw_namespace, logical_name) = split_namespace(file_stem);
+    let out_path = if let Some(ns) = raw_namespace {
+        let dir = out_dir.join(ns);
+        ensure_dir(&dir)?;
+        dir.join(format!("{logical_name}.json"))
+    } else {
+        out_dir.join(format!("{file_stem}.json"))
+    };
+
+    write_pretty_json(out_path, &schema_value)
        .with_context(|| format!("Failed to write JSON schema for {file_stem}"))?;
-    let annotated_schema = serde_json::from_value(schema_value)?;
-    Ok(annotated_schema)
+    let namespace = match raw_namespace {
+        Some("v1") | None => None,
+        Some(ns) => Some(ns.to_string()),
+    };
+    Ok(GeneratedSchema {
+        in_v1_dir: raw_namespace == Some("v1"),
+        namespace,
+        logical_name: logical_name.to_string(),
+        value: schema_value,
+    })
 }

-pub(crate) fn write_json_schema<T>(out_dir: &Path, name: &str) -> Result<()>
+pub(crate) fn write_json_schema<T>(out_dir: &Path, name: &str) -> Result<GeneratedSchema>
 where
    T: JsonSchema,
 {
-    write_json_schema_with_return::<T>(out_dir, name).map(|_| ())
+    write_json_schema_with_return::<T>(out_dir, name)
 }

 fn write_pretty_json(path: PathBuf, value: &impl Serialize) -> Result<()> {
@@ -241,13 +296,73 @@ fn write_pretty_json(path: PathBuf, value: &impl Serialize) -> Result<()> {
    fs::write(&path, json).with_context(|| format!("Failed to write {}", path.display()))?;
    Ok(())
 }
-fn type_basename(type_path: &str) -> String {
-    type_path
-        .rsplit_once("::")
-        .map(|(_, name)| name)
-        .unwrap_or(type_path)
-        .trim()
-        .to_string()
+
+/// Split a fully-qualified type name like "v2::Type" into its namespace and logical name.
+fn split_namespace(name: &str) -> (Option<&str>, &str) {
+    name.split_once("::")
+        .map_or((None, name), |(ns, rest)| (Some(ns), rest))
+}
+
+/// Recursively rewrite $ref values that point at "#/definitions/..." so that
+/// they point to a namespaced location under the bundle.
+fn rewrite_refs_to_namespace(value: &mut Value, ns: &str) {
+    match value {
+        Value::Object(obj) => {
+            if let Some(Value::String(r)) = obj.get_mut("$ref")
+                && let Some(suffix) = r.strip_prefix("#/definitions/")
+            {
+                let prefix = format!("{ns}/");
+                if !suffix.starts_with(&prefix) {
+                    *r = format!("#/definitions/{ns}/{suffix}");
+                }
+            }
+            for v in obj.values_mut() {
+                rewrite_refs_to_namespace(v, ns);
+            }
+        }
+        Value::Array(items) => {
+            for v in items.iter_mut() {
+                rewrite_refs_to_namespace(v, ns);
+            }
+        }
+        _ => {}
+    }
+}
+
+fn collect_namespaced_types(schemas: &[GeneratedSchema]) -> HashMap<String, String> {
+    let mut types = HashMap::new();
+    for schema in schemas {
+        if let Some(ns) = schema.namespace() {
+            types
+                .entry(schema.logical_name().to_string())
+                .or_insert_with(|| ns.to_string());
+            if let Some(Value::Object(defs)) = schema.value().get("definitions") {
+                for key in defs.keys() {
+                    types.entry(key.clone()).or_insert_with(|| ns.to_string());
+                }
+            }
+            if let Some(Value::Object(defs)) = schema.value().get("$defs") {
+                for key in defs.keys() {
+                    types.entry(key.clone()).or_insert_with(|| ns.to_string());
+                }
+            }
+        }
+    }
+    types
+}
+
+fn namespace_for_definition<'a>(
+    name: &str,
+    types: &'a HashMap<String, String>,
+) -> Option<&'a String> {
+    if let Some(ns) = types.get(name) {
+        return Some(ns);
+    }
+    let trimmed = name.trim_end_matches(|c: char| c.is_ascii_digit());
+    if trimmed != name {
+        return types.get(trimmed);
+    }
+    None
 }

 fn variant_definition_name(base: &str, variant: &Value) -> Option<String> {
@@ -467,6 +582,33 @@ fn ensure_dir(dir: &Path) -> Result<()> {
        .with_context(|| format!("Failed to create output directory {}", dir.display()))
 }

+fn rewrite_named_ref_to_namespace(value: &mut Value, ns: &str, name: &str) {
+    let direct = format!("#/definitions/{name}");
+    let prefixed = format!("{direct}/");
+    let replacement = format!("#/definitions/{ns}/{name}");
+    let replacement_prefixed = format!("{replacement}/");
+    match value {
+        Value::Object(obj) => {
+            if let Some(Value::String(reference)) = obj.get_mut("$ref") {
+                if reference == &direct {
+                    *reference = replacement;
+                } else if let Some(rest) = reference.strip_prefix(&prefixed) {
+                    *reference = format!("{replacement_prefixed}{rest}");
+                }
+            }
+            for child in obj.values_mut() {
+                rewrite_named_ref_to_namespace(child, ns, name);
+            }
+        }
+        Value::Array(items) => {
+            for child in items {
+                rewrite_named_ref_to_namespace(child, ns, name);
+            }
+        }
+        _ => {}
+    }
+}
+
 fn prepend_header_if_missing(path: &Path) -> Result<()> {
    let mut content = String::new();
    {
@@ -504,6 +646,26 @@ fn ts_files_in(dir: &Path) -> Result<Vec<PathBuf>> {
    Ok(files)
 }

+fn ts_files_in_recursive(dir: &Path) -> Result<Vec<PathBuf>> {
+    let mut files = Vec::new();
+    let mut stack = vec![dir.to_path_buf()];
+    while let Some(d) = stack.pop() {
+        for entry in
+            fs::read_dir(&d).with_context(|| format!("Failed to read dir {}", d.display()))?
+        {
+            let entry = entry?;
+            let path = entry.path();
+            if path.is_dir() {
+                stack.push(path);
+            } else if path.is_file() && path.extension() == Some(OsStr::new("ts")) {
+                files.push(path);
+            }
+        }
+    }
+    files.sort();
+    Ok(files)
+}
+
 fn generate_index_ts(out_dir: &Path) -> Result<PathBuf> {
    let mut entries: Vec<String> = Vec::new();
    let mut stems: Vec<String> = ts_files_in(out_dir)?
@@ -520,6 +682,14 @@ fn generate_index_ts(out_dir: &Path) -> Result<PathBuf> {
        entries.push(format!("export type {{ {name} }} from \"./{name}\";\n"));
    }

+    // If this is the root out_dir and a ./v2 folder exists with TS files,
+    // expose it as a namespace to avoid symbol collisions at the root.
+    let v2_dir = out_dir.join("v2");
+    let has_v2_ts = ts_files_in(&v2_dir).map(|v| !v.is_empty()).unwrap_or(false);
+    if has_v2_ts {
+        entries.push("export * as v2 from \"./v2\";\n".to_string());
+    }
+
    let mut content =
        String::with_capacity(HEADER.len() + entries.iter().map(String::len).sum::<usize>());
    content.push_str(HEADER);
@@ -546,6 +716,7 @@ mod tests {

    #[test]
    fn generated_ts_has_no_optional_nullable_fields() -> Result<()> {
+        // Assert that there are no types of the form "?: T | null" in the generated TS files.
        let output_dir = std::env::temp_dir().join(format!("codex_ts_types_{}", Uuid::now_v7()));
        fs::create_dir(&output_dir)?;

--- a/codex-rs/app-server-protocol/src/lib.rs
+++ b/codex-rs/app-server-protocol/src/lib.rs
@@ -6,4 +6,6 @@ pub use export::generate_json;
 pub use export::generate_ts;
 pub use export::generate_types;
 pub use jsonrpc_lite::*;
-pub use protocol::*;
+pub use protocol::common::*;
+pub use protocol::v1::*;
+pub use protocol::v2::*;
--- a/codex-rs/app-server-protocol/src/protocol.rs
+++ b/codex-rs/app-server-protocol/src/protocol.rs
--- a/codex-rs/app-server-protocol/src/protocol/common.rs
+++ b/codex-rs/app-server-protocol/src/protocol/common.rs
@@ -0,0 +1,824 @@
+use std::collections::HashMap;
+use std::path::Path;
+use std::path::PathBuf;
+
+use crate::JSONRPCNotification;
+use crate::JSONRPCRequest;
+use crate::RequestId;
+use crate::export::GeneratedSchema;
+use crate::export::write_json_schema;
+use crate::protocol::v1;
+use crate::protocol::v2;
+use codex_protocol::ConversationId;
+use codex_protocol::parse_command::ParsedCommand;
+use codex_protocol::protocol::FileChange;
+use codex_protocol::protocol::ReviewDecision;
+use codex_protocol::protocol::SandboxCommandAssessment;
+use paste::paste;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use strum_macros::Display;
+use ts_rs::TS;
+
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema, TS)]
+#[ts(type = "string")]
+pub struct GitSha(pub String);
+
+impl GitSha {
+    pub fn new(sha: &str) -> Self {
+        Self(sha.to_string())
+    }
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Display, JsonSchema, TS)]
+#[serde(rename_all = "lowercase")]
+pub enum AuthMode {
+    ApiKey,
+    ChatGPT,
+}
+
+/// Generates an `enum ClientRequest` where each variant is a request that the
+/// client can send to the server. Each variant has associated `params` and
+/// `response` types. Also generates a `export_client_responses()` function to
+/// export all response types to TypeScript.
+macro_rules! client_request_definitions {
+    (
+        $(
+            $(#[$variant_meta:meta])*
+            $variant:ident {
+                params: $(#[$params_meta:meta])* $params:ty,
+                response: $response:ty,
+            }
+        ),* $(,)?
+    ) => {
+        /// Request from the client to the server.
+        #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+        #[serde(tag = "method", rename_all = "camelCase")]
+        pub enum ClientRequest {
+            $(
+                $(#[$variant_meta])*
+                $variant {
+                    #[serde(rename = "id")]
+                    request_id: RequestId,
+                    $(#[$params_meta])*
+                    params: $params,
+                },
+            )*
+        }
+
+        pub fn export_client_responses(
+            out_dir: &::std::path::Path,
+        ) -> ::std::result::Result<(), ::ts_rs::ExportError> {
+            $(
+                <$response as ::ts_rs::TS>::export_all_to(out_dir)?;
+            )*
+            Ok(())
+        }
+
+        #[allow(clippy::vec_init_then_push)]
+        pub fn export_client_response_schemas(
+            out_dir: &::std::path::Path,
+        ) -> ::anyhow::Result<Vec<GeneratedSchema>> {
+            let mut schemas = Vec::new();
+            $(
+                schemas.push(write_json_schema::<$response>(out_dir, stringify!($response))?);
+            )*
+            Ok(schemas)
+        }
+
+        #[allow(clippy::vec_init_then_push)]
+        pub fn export_client_param_schemas(
+            out_dir: &::std::path::Path,
+        ) -> ::anyhow::Result<Vec<GeneratedSchema>> {
+            let mut schemas = Vec::new();
+            $(
+                schemas.push(write_json_schema::<$params>(out_dir, stringify!($params))?);
+            )*
+            Ok(schemas)
+        }
+    };
+}
+
+client_request_definitions! {
+    /// NEW APIs
+    // Thread lifecycle
+    #[serde(rename = "thread/start")]
+    #[ts(rename = "thread/start")]
+    ThreadStart {
+        params: v2::ThreadStartParams,
+        response: v2::ThreadStartResponse,
+    },
+    #[serde(rename = "thread/resume")]
+    #[ts(rename = "thread/resume")]
+    ThreadResume {
+        params: v2::ThreadResumeParams,
+        response: v2::ThreadResumeResponse,
+    },
+    #[serde(rename = "thread/archive")]
+    #[ts(rename = "thread/archive")]
+    ThreadArchive {
+        params: v2::ThreadArchiveParams,
+        response: v2::ThreadArchiveResponse,
+    },
+    #[serde(rename = "thread/list")]
+    #[ts(rename = "thread/list")]
+    ThreadList {
+        params: v2::ThreadListParams,
+        response: v2::ThreadListResponse,
+    },
+    #[serde(rename = "thread/compact")]
+    #[ts(rename = "thread/compact")]
+    ThreadCompact {
+        params: v2::ThreadCompactParams,
+        response: v2::ThreadCompactResponse,
+    },
+    #[serde(rename = "turn/start")]
+    #[ts(rename = "turn/start")]
+    TurnStart {
+        params: v2::TurnStartParams,
+        response: v2::TurnStartResponse,
+    },
+    #[serde(rename = "turn/interrupt")]
+    #[ts(rename = "turn/interrupt")]
+    TurnInterrupt {
+        params: v2::TurnInterruptParams,
+        response: v2::TurnInterruptResponse,
+    },
+
+    #[serde(rename = "model/list")]
+    #[ts(rename = "model/list")]
+    ModelList {
+        params: v2::ModelListParams,
+        response: v2::ModelListResponse,
+    },
+
+    #[serde(rename = "account/login/start")]
+    #[ts(rename = "account/login/start")]
+    LoginAccount {
+        params: v2::LoginAccountParams,
+        response: v2::LoginAccountResponse,
+    },
+
+    #[serde(rename = "account/login/cancel")]
+    #[ts(rename = "account/login/cancel")]
+    CancelLoginAccount {
+        params: v2::CancelLoginAccountParams,
+        response: v2::CancelLoginAccountResponse,
+    },
+
+    #[serde(rename = "account/logout")]
+    #[ts(rename = "account/logout")]
+    LogoutAccount {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v2::LogoutAccountResponse,
+    },
+
+    #[serde(rename = "account/rateLimits/read")]
+    #[ts(rename = "account/rateLimits/read")]
+    GetAccountRateLimits {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v2::GetAccountRateLimitsResponse,
+    },
+
+    #[serde(rename = "feedback/upload")]
+    #[ts(rename = "feedback/upload")]
+    FeedbackUpload {
+        params: v2::FeedbackUploadParams,
+        response: v2::FeedbackUploadResponse,
+    },
+
+    #[serde(rename = "account/read")]
+    #[ts(rename = "account/read")]
+    GetAccount {
+        params: v2::GetAccountParams,
+        response: v2::GetAccountResponse,
+    },
+
+    /// DEPRECATED APIs below
+    Initialize {
+        params: v1::InitializeParams,
+        response: v1::InitializeResponse,
+    },
+    NewConversation {
+        params: v1::NewConversationParams,
+        response: v1::NewConversationResponse,
+    },
+    GetConversationSummary {
+        params: v1::GetConversationSummaryParams,
+        response: v1::GetConversationSummaryResponse,
+    },
+    /// List recorded Codex conversations (rollouts) with optional pagination and search.
+    ListConversations {
+        params: v1::ListConversationsParams,
+        response: v1::ListConversationsResponse,
+    },
+    /// Resume a recorded Codex conversation from a rollout file.
+    ResumeConversation {
+        params: v1::ResumeConversationParams,
+        response: v1::ResumeConversationResponse,
+    },
+    ArchiveConversation {
+        params: v1::ArchiveConversationParams,
+        response: v1::ArchiveConversationResponse,
+    },
+    SendUserMessage {
+        params: v1::SendUserMessageParams,
+        response: v1::SendUserMessageResponse,
+    },
+    SendUserTurn {
+        params: v1::SendUserTurnParams,
+        response: v1::SendUserTurnResponse,
+    },
+    InterruptConversation {
+        params: v1::InterruptConversationParams,
+        response: v1::InterruptConversationResponse,
+    },
+    AddConversationListener {
+        params: v1::AddConversationListenerParams,
+        response: v1::AddConversationSubscriptionResponse,
+    },
+    RemoveConversationListener {
+        params: v1::RemoveConversationListenerParams,
+        response: v1::RemoveConversationSubscriptionResponse,
+    },
+    GitDiffToRemote {
+        params: v1::GitDiffToRemoteParams,
+        response: v1::GitDiffToRemoteResponse,
+    },
+    LoginApiKey {
+        params: v1::LoginApiKeyParams,
+        response: v1::LoginApiKeyResponse,
+    },
+    LoginChatGpt {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v1::LoginChatGptResponse,
+    },
+    // DEPRECATED in favor of CancelLoginAccount
+    CancelLoginChatGpt {
+        params: v1::CancelLoginChatGptParams,
+        response: v1::CancelLoginChatGptResponse,
+    },
+    LogoutChatGpt {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v1::LogoutChatGptResponse,
+    },
+    /// DEPRECATED in favor of GetAccount
+    GetAuthStatus {
+        params: v1::GetAuthStatusParams,
+        response: v1::GetAuthStatusResponse,
+    },
+    GetUserSavedConfig {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v1::GetUserSavedConfigResponse,
+    },
+    SetDefaultModel {
+        params: v1::SetDefaultModelParams,
+        response: v1::SetDefaultModelResponse,
+    },
+    GetUserAgent {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v1::GetUserAgentResponse,
+    },
+    UserInfo {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v1::UserInfoResponse,
+    },
+    FuzzyFileSearch {
+        params: FuzzyFileSearchParams,
+        response: FuzzyFileSearchResponse,
+    },
+    /// Execute a command (argv vector) under the server's sandbox.
+    ExecOneOffCommand {
+        params: v1::ExecOneOffCommandParams,
+        response: v1::ExecOneOffCommandResponse,
+    },
+}
+
+/// Generates an `enum ServerRequest` where each variant is a request that the
+/// server can send to the client along with the corresponding params and
+/// response types. It also generates helper types used by the app/server
+/// infrastructure (payload enum, request constructor, and export helpers).
+macro_rules! server_request_definitions {
+    (
+        $(
+            $(#[$variant_meta:meta])*
+            $variant:ident
+        ),* $(,)?
+    ) => {
+        paste! {
+            /// Request initiated from the server and sent to the client.
+            #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+            #[serde(tag = "method", rename_all = "camelCase")]
+            pub enum ServerRequest {
+                $(
+                    $(#[$variant_meta])*
+                    $variant {
+                        #[serde(rename = "id")]
+                        request_id: RequestId,
+                        params: [<$variant Params>],
+                    },
+                )*
+            }
+
+            #[derive(Debug, Clone, PartialEq, JsonSchema)]
+            pub enum ServerRequestPayload {
+                $( $variant([<$variant Params>]), )*
+            }
+
+            impl ServerRequestPayload {
+                pub fn request_with_id(self, request_id: RequestId) -> ServerRequest {
+                    match self {
+                        $(Self::$variant(params) => ServerRequest::$variant { request_id, params },)*
+                    }
+                }
+            }
+        }
+
+        pub fn export_server_responses(
+            out_dir: &::std::path::Path,
+        ) -> ::std::result::Result<(), ::ts_rs::ExportError> {
+            paste! {
+                $(<[<$variant Response>] as ::ts_rs::TS>::export_all_to(out_dir)?;)*
+            }
+            Ok(())
+        }
+
+        #[allow(clippy::vec_init_then_push)]
+        pub fn export_server_response_schemas(
+            out_dir: &Path,
+        ) -> ::anyhow::Result<Vec<GeneratedSchema>> {
+            let mut schemas = Vec::new();
+            paste! {
+                $(schemas.push(crate::export::write_json_schema::<[<$variant Response>]>(out_dir, stringify!([<$variant Response>]))?);)*
+            }
+            Ok(schemas)
+        }
+
+        #[allow(clippy::vec_init_then_push)]
+        pub fn export_server_param_schemas(
+            out_dir: &Path,
+        ) -> ::anyhow::Result<Vec<GeneratedSchema>> {
+            let mut schemas = Vec::new();
+            paste! {
+                $(schemas.push(crate::export::write_json_schema::<[<$variant Params>]>(out_dir, stringify!([<$variant Params>]))?);)*
+            }
+            Ok(schemas)
+        }
+    };
+}
+
+/// Generates `ServerNotification` enum and helpers, including a JSON Schema
+/// exporter for each notification.
+macro_rules! server_notification_definitions {
+    (
+        $(
+            $(#[$variant_meta:meta])*
+            $variant:ident $(=> $wire:literal)? ( $payload:ty )
+        ),* $(,)?
+    ) => {
+        /// Notification sent from the server to the client.
+        #[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS, Display)]
+        #[serde(tag = "method", content = "params", rename_all = "camelCase")]
+        #[strum(serialize_all = "camelCase")]
+        pub enum ServerNotification {
+            $(
+                $(#[$variant_meta])*
+                $(#[serde(rename = $wire)] #[ts(rename = $wire)] #[strum(serialize = $wire)])?
+                $variant($payload),
+            )*
+        }
+
+        impl ServerNotification {
+            pub fn to_params(self) -> Result<serde_json::Value, serde_json::Error> {
+                match self {
+                    $(Self::$variant(params) => serde_json::to_value(params),)*
+                }
+            }
+        }
+
+        impl TryFrom<JSONRPCNotification> for ServerNotification {
+            type Error = serde_json::Error;
+
+            fn try_from(value: JSONRPCNotification) -> Result<Self, Self::Error> {
+                serde_json::from_value(serde_json::to_value(value)?)
+            }
+        }
+
+        #[allow(clippy::vec_init_then_push)]
+        pub fn export_server_notification_schemas(
+            out_dir: &::std::path::Path,
+        ) -> ::anyhow::Result<Vec<GeneratedSchema>> {
+            let mut schemas = Vec::new();
+            $(schemas.push(crate::export::write_json_schema::<$payload>(out_dir, stringify!($payload))?);)*
+            Ok(schemas)
+        }
+    };
+}
+/// Notifications sent from the client to the server.
+macro_rules! client_notification_definitions {
+    (
+        $(
+            $(#[$variant_meta:meta])*
+            $variant:ident $( ( $payload:ty ) )?
+        ),* $(,)?
+    ) => {
+        #[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS, Display)]
+        #[serde(tag = "method", content = "params", rename_all = "camelCase")]
+        #[strum(serialize_all = "camelCase")]
+        pub enum ClientNotification {
+            $(
+                $(#[$variant_meta])*
+                $variant $( ( $payload ) )?,
+            )*
+        }
+
+        pub fn export_client_notification_schemas(
+            _out_dir: &::std::path::Path,
+        ) -> ::anyhow::Result<Vec<GeneratedSchema>> {
+            let schemas = Vec::new();
+            $( $(schemas.push(crate::export::write_json_schema::<$payload>(_out_dir, stringify!($payload))?);)? )*
+            Ok(schemas)
+        }
+    };
+}
+
+impl TryFrom<JSONRPCRequest> for ServerRequest {
+    type Error = serde_json::Error;
+
+    fn try_from(value: JSONRPCRequest) -> Result<Self, Self::Error> {
+        serde_json::from_value(serde_json::to_value(value)?)
+    }
+}
+
+server_request_definitions! {
+    /// Request to approve a patch.
+    ApplyPatchApproval,
+    /// Request to exec a command.
+    ExecCommandApproval,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ApplyPatchApprovalParams {
+    pub conversation_id: ConversationId,
+    /// Use to correlate this with [codex_core::protocol::PatchApplyBeginEvent]
+    /// and [codex_core::protocol::PatchApplyEndEvent].
+    pub call_id: String,
+    pub file_changes: HashMap<PathBuf, FileChange>,
+    /// Optional explanatory reason (e.g. request for extra write access).
+    pub reason: Option<String>,
+    /// When set, the agent is asking the user to allow writes under this root
+    /// for the remainder of the session (unclear if this is honored today).
+    pub grant_root: Option<PathBuf>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ExecCommandApprovalParams {
+    pub conversation_id: ConversationId,
+    /// Use to correlate this with [codex_core::protocol::ExecCommandBeginEvent]
+    /// and [codex_core::protocol::ExecCommandEndEvent].
+    pub call_id: String,
+    pub command: Vec<String>,
+    pub cwd: PathBuf,
+    pub reason: Option<String>,
+    pub risk: Option<SandboxCommandAssessment>,
+    pub parsed_cmd: Vec<ParsedCommand>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+pub struct ExecCommandApprovalResponse {
+    pub decision: ReviewDecision,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+pub struct ApplyPatchApprovalResponse {
+    pub decision: ReviewDecision,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchParams {
+    pub query: String,
+    pub roots: Vec<String>,
+    // if provided, will cancel any previous request that used the same value
+    pub cancellation_token: Option<String>,
+}
+
+/// Superset of [`codex_file_search::FileMatch`]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+pub struct FuzzyFileSearchResult {
+    pub root: String,
+    pub path: String,
+    pub file_name: String,
+    pub score: u32,
+    pub indices: Option<Vec<u32>>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+pub struct FuzzyFileSearchResponse {
+    pub files: Vec<FuzzyFileSearchResult>,
+}
+
+server_notification_definitions! {
+    /// NEW NOTIFICATIONS
+    ThreadStarted => "thread/started" (v2::ThreadStartedNotification),
+    TurnStarted => "turn/started" (v2::TurnStartedNotification),
+    TurnCompleted => "turn/completed" (v2::TurnCompletedNotification),
+    ItemStarted => "item/started" (v2::ItemStartedNotification),
+    ItemCompleted => "item/completed" (v2::ItemCompletedNotification),
+    AgentMessageDelta => "item/agentMessage/delta" (v2::AgentMessageDeltaNotification),
+    CommandExecutionOutputDelta => "item/commandExecution/outputDelta" (v2::CommandExecutionOutputDeltaNotification),
+    McpToolCallProgress => "item/mcpToolCall/progress" (v2::McpToolCallProgressNotification),
+    AccountUpdated => "account/updated" (v2::AccountUpdatedNotification),
+    AccountRateLimitsUpdated => "account/rateLimits/updated" (v2::AccountRateLimitsUpdatedNotification),
+
+    #[serde(rename = "account/login/completed")]
+    #[ts(rename = "account/login/completed")]
+    #[strum(serialize = "account/login/completed")]
+    AccountLoginCompleted(v2::AccountLoginCompletedNotification),
+
+    /// DEPRECATED NOTIFICATIONS below
+    AuthStatusChange(v1::AuthStatusChangeNotification),
+
+    /// Deprecated: use `account/login/completed` instead.
+    LoginChatGptComplete(v1::LoginChatGptCompleteNotification),
+    SessionConfigured(v1::SessionConfiguredNotification),
+}
+
+client_notification_definitions! {
+    Initialized,
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use anyhow::Result;
+    use codex_protocol::account::PlanType;
+    use codex_protocol::protocol::AskForApproval;
+    use pretty_assertions::assert_eq;
+    use serde_json::json;
+
+    #[test]
+    fn serialize_new_conversation() -> Result<()> {
+        let request = ClientRequest::NewConversation {
+            request_id: RequestId::Integer(42),
+            params: v1::NewConversationParams {
+                model: Some("gpt-5-codex".to_string()),
+                model_provider: None,
+                profile: None,
+                cwd: None,
+                approval_policy: Some(AskForApproval::OnRequest),
+                sandbox: None,
+                config: None,
+                base_instructions: None,
+                developer_instructions: None,
+                compact_prompt: None,
+                include_apply_patch_tool: None,
+            },
+        };
+        assert_eq!(
+            json!({
+                "method": "newConversation",
+                "id": 42,
+                "params": {
+                    "model": "gpt-5-codex",
+                    "modelProvider": null,
+                    "profile": null,
+                    "cwd": null,
+                    "approvalPolicy": "on-request",
+                    "sandbox": null,
+                    "config": null,
+                    "baseInstructions": null,
+                    "includeApplyPatchTool": null
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn conversation_id_serializes_as_plain_string() -> Result<()> {
+        let id = ConversationId::from_string("67e55044-10b1-426f-9247-bb680e5fe0c8")?;
+
+        assert_eq!(
+            json!("67e55044-10b1-426f-9247-bb680e5fe0c8"),
+            serde_json::to_value(id)?
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn conversation_id_deserializes_from_plain_string() -> Result<()> {
+        let id: ConversationId =
+            serde_json::from_value(json!("67e55044-10b1-426f-9247-bb680e5fe0c8"))?;
+
+        assert_eq!(
+            ConversationId::from_string("67e55044-10b1-426f-9247-bb680e5fe0c8")?,
+            id,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_client_notification() -> Result<()> {
+        let notification = ClientNotification::Initialized;
+        // Note there is no "params" field for this notification.
+        assert_eq!(
+            json!({
+                "method": "initialized",
+            }),
+            serde_json::to_value(&notification)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_server_request() -> Result<()> {
+        let conversation_id = ConversationId::from_string("67e55044-10b1-426f-9247-bb680e5fe0c8")?;
+        let params = ExecCommandApprovalParams {
+            conversation_id,
+            call_id: "call-42".to_string(),
+            command: vec!["echo".to_string(), "hello".to_string()],
+            cwd: PathBuf::from("/tmp"),
+            reason: Some("because tests".to_string()),
+            risk: None,
+            parsed_cmd: vec![ParsedCommand::Unknown {
+                cmd: "echo hello".to_string(),
+            }],
+        };
+        let request = ServerRequest::ExecCommandApproval {
+            request_id: RequestId::Integer(7),
+            params: params.clone(),
+        };
+
+        assert_eq!(
+            json!({
+                "method": "execCommandApproval",
+                "id": 7,
+                "params": {
+                    "conversationId": "67e55044-10b1-426f-9247-bb680e5fe0c8",
+                    "callId": "call-42",
+                    "command": ["echo", "hello"],
+                    "cwd": "/tmp",
+                    "reason": "because tests",
+                    "risk": null,
+                    "parsedCmd": [
+                        {
+                            "type": "unknown",
+                            "cmd": "echo hello"
+                        }
+                    ]
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+
+        let payload = ServerRequestPayload::ExecCommandApproval(params);
+        assert_eq!(payload.request_with_id(RequestId::Integer(7)), request);
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_get_account_rate_limits() -> Result<()> {
+        let request = ClientRequest::GetAccountRateLimits {
+            request_id: RequestId::Integer(1),
+            params: None,
+        };
+        assert_eq!(
+            json!({
+                "method": "account/rateLimits/read",
+                "id": 1,
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_account_login_api_key() -> Result<()> {
+        let request = ClientRequest::LoginAccount {
+            request_id: RequestId::Integer(2),
+            params: v2::LoginAccountParams::ApiKey {
+                api_key: "secret".to_string(),
+            },
+        };
+        assert_eq!(
+            json!({
+                "method": "account/login/start",
+                "id": 2,
+                "params": {
+                    "type": "apiKey",
+                    "apiKey": "secret"
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_account_login_chatgpt() -> Result<()> {
+        let request = ClientRequest::LoginAccount {
+            request_id: RequestId::Integer(3),
+            params: v2::LoginAccountParams::Chatgpt,
+        };
+        assert_eq!(
+            json!({
+                "method": "account/login/start",
+                "id": 3,
+                "params": {
+                    "type": "chatgpt"
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_account_logout() -> Result<()> {
+        let request = ClientRequest::LogoutAccount {
+            request_id: RequestId::Integer(4),
+            params: None,
+        };
+        assert_eq!(
+            json!({
+                "method": "account/logout",
+                "id": 4,
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_get_account() -> Result<()> {
+        let request = ClientRequest::GetAccount {
+            request_id: RequestId::Integer(5),
+            params: v2::GetAccountParams {
+                refresh_token: false,
+            },
+        };
+        assert_eq!(
+            json!({
+                "method": "account/read",
+                "id": 5,
+                "params": {
+                    "refreshToken": false
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn account_serializes_fields_in_camel_case() -> Result<()> {
+        let api_key = v2::Account::ApiKey {};
+        assert_eq!(
+            json!({
+                "type": "apiKey",
+            }),
+            serde_json::to_value(&api_key)?,
+        );
+
+        let chatgpt = v2::Account::Chatgpt {
+            email: "user@example.com".to_string(),
+            plan_type: PlanType::Plus,
+        };
+        assert_eq!(
+            json!({
+                "type": "chatgpt",
+                "email": "user@example.com",
+                "planType": "plus",
+            }),
+            serde_json::to_value(&chatgpt)?,
+        );
+
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_list_models() -> Result<()> {
+        let request = ClientRequest::ModelList {
+            request_id: RequestId::Integer(6),
+            params: v2::ModelListParams::default(),
+        };
+        assert_eq!(
+            json!({
+                "method": "model/list",
+                "id": 6,
+                "params": {
+                    "limit": null,
+                    "cursor": null
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+}
--- a/codex-rs/app-server-protocol/src/protocol/mod.rs
+++ b/codex-rs/app-server-protocol/src/protocol/mod.rs
@@ -0,0 +1,6 @@
+// Module declarations for the app-server protocol namespace.
+// Exposes protocol pieces used by `lib.rs` via `pub use protocol::common::*;`.
+
+pub mod common;
+pub mod v1;
+pub mod v2;
--- a/codex-rs/app-server-protocol/src/protocol/v1.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v1.rs
@@ -0,0 +1,418 @@
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+use codex_protocol::ConversationId;
+use codex_protocol::config_types::ForcedLoginMethod;
+use codex_protocol::config_types::ReasoningEffort;
+use codex_protocol::config_types::ReasoningSummary;
+use codex_protocol::config_types::SandboxMode;
+use codex_protocol::config_types::Verbosity;
+use codex_protocol::models::ResponseItem;
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::protocol::SessionSource;
+use codex_protocol::protocol::TurnAbortReason;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use ts_rs::TS;
+use uuid::Uuid;
+
+// Reuse shared types defined in `common.rs`.
+use crate::protocol::common::AuthMode;
+use crate::protocol::common::GitSha;
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct InitializeParams {
+    pub client_info: ClientInfo,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ClientInfo {
+    pub name: String,
+    pub title: Option<String>,
+    pub version: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct InitializeResponse {
+    pub user_agent: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct NewConversationParams {
+    pub model: Option<String>,
+    pub model_provider: Option<String>,
+    pub profile: Option<String>,
+    pub cwd: Option<String>,
+    pub approval_policy: Option<AskForApproval>,
+    pub sandbox: Option<SandboxMode>,
+    pub config: Option<HashMap<String, serde_json::Value>>,
+    pub base_instructions: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub developer_instructions: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub compact_prompt: Option<String>,
+    pub include_apply_patch_tool: Option<bool>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct NewConversationResponse {
+    pub conversation_id: ConversationId,
+    pub model: String,
+    pub reasoning_effort: Option<ReasoningEffort>,
+    pub rollout_path: PathBuf,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ResumeConversationResponse {
+    pub conversation_id: ConversationId,
+    pub model: String,
+    pub initial_messages: Option<Vec<EventMsg>>,
+    pub rollout_path: PathBuf,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(untagged)]
+pub enum GetConversationSummaryParams {
+    RolloutPath {
+        #[serde(rename = "rolloutPath")]
+        rollout_path: PathBuf,
+    },
+    ConversationId {
+        #[serde(rename = "conversationId")]
+        conversation_id: ConversationId,
+    },
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetConversationSummaryResponse {
+    pub summary: ConversationSummary,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ListConversationsParams {
+    pub page_size: Option<usize>,
+    pub cursor: Option<String>,
+    pub model_providers: Option<Vec<String>>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ConversationSummary {
+    pub conversation_id: ConversationId,
+    pub path: PathBuf,
+    pub preview: String,
+    pub timestamp: Option<String>,
+    pub model_provider: String,
+    pub cwd: PathBuf,
+    pub cli_version: String,
+    pub source: SessionSource,
+    pub git_info: Option<ConversationGitInfo>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "snake_case")]
+pub struct ConversationGitInfo {
+    pub sha: Option<String>,
+    pub branch: Option<String>,
+    pub origin_url: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ListConversationsResponse {
+    pub items: Vec<ConversationSummary>,
+    pub next_cursor: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ResumeConversationParams {
+    pub path: Option<PathBuf>,
+    pub conversation_id: Option<ConversationId>,
+    pub history: Option<Vec<ResponseItem>>,
+    pub overrides: Option<NewConversationParams>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct AddConversationSubscriptionResponse {
+    #[schemars(with = "String")]
+    pub subscription_id: Uuid,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ArchiveConversationParams {
+    pub conversation_id: ConversationId,
+    pub rollout_path: PathBuf,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ArchiveConversationResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct RemoveConversationSubscriptionResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LoginApiKeyParams {
+    pub api_key: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LoginApiKeyResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LoginChatGptResponse {
+    #[schemars(with = "String")]
+    pub login_id: Uuid,
+    pub auth_url: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GitDiffToRemoteResponse {
+    pub sha: GitSha,
+    pub diff: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct CancelLoginChatGptParams {
+    #[schemars(with = "String")]
+    pub login_id: Uuid,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GitDiffToRemoteParams {
+    pub cwd: PathBuf,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct CancelLoginChatGptResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LogoutChatGptParams {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LogoutChatGptResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetAuthStatusParams {
+    pub include_token: Option<bool>,
+    pub refresh_token: Option<bool>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ExecOneOffCommandParams {
+    pub command: Vec<String>,
+    pub timeout_ms: Option<u64>,
+    pub cwd: Option<PathBuf>,
+    pub sandbox_policy: Option<SandboxPolicy>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ExecOneOffCommandResponse {
+    pub exit_code: i32,
+    pub stdout: String,
+    pub stderr: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetAuthStatusResponse {
+    pub auth_method: Option<AuthMode>,
+    pub auth_token: Option<String>,
+    pub requires_openai_auth: Option<bool>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetUserAgentResponse {
+    pub user_agent: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct UserInfoResponse {
+    pub alleged_user_email: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetUserSavedConfigResponse {
+    pub config: UserSavedConfig,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SetDefaultModelParams {
+    pub model: Option<String>,
+    pub reasoning_effort: Option<ReasoningEffort>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SetDefaultModelResponse {}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct UserSavedConfig {
+    pub approval_policy: Option<AskForApproval>,
+    pub sandbox_mode: Option<SandboxMode>,
+    pub sandbox_settings: Option<SandboxSettings>,
+    pub forced_chatgpt_workspace_id: Option<String>,
+    pub forced_login_method: Option<ForcedLoginMethod>,
+    pub model: Option<String>,
+    pub model_reasoning_effort: Option<ReasoningEffort>,
+    pub model_reasoning_summary: Option<ReasoningSummary>,
+    pub model_verbosity: Option<Verbosity>,
+    pub tools: Option<Tools>,
+    pub profile: Option<String>,
+    pub profiles: HashMap<String, Profile>,
+}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct Profile {
+    pub model: Option<String>,
+    pub model_provider: Option<String>,
+    pub approval_policy: Option<AskForApproval>,
+    pub model_reasoning_effort: Option<ReasoningEffort>,
+    pub model_reasoning_summary: Option<ReasoningSummary>,
+    pub model_verbosity: Option<Verbosity>,
+    pub chatgpt_base_url: Option<String>,
+}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct Tools {
+    pub web_search: Option<bool>,
+    pub view_image: Option<bool>,
+}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SandboxSettings {
+    #[serde(default)]
+    pub writable_roots: Vec<PathBuf>,
+    pub network_access: Option<bool>,
+    pub exclude_tmpdir_env_var: Option<bool>,
+    pub exclude_slash_tmp: Option<bool>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SendUserMessageParams {
+    pub conversation_id: ConversationId,
+    pub items: Vec<InputItem>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SendUserTurnParams {
+    pub conversation_id: ConversationId,
+    pub items: Vec<InputItem>,
+    pub cwd: PathBuf,
+    pub approval_policy: AskForApproval,
+    pub sandbox_policy: SandboxPolicy,
+    pub model: String,
+    pub effort: Option<ReasoningEffort>,
+    pub summary: ReasoningSummary,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SendUserTurnResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct InterruptConversationParams {
+    pub conversation_id: ConversationId,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct InterruptConversationResponse {
+    pub abort_reason: TurnAbortReason,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SendUserMessageResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct AddConversationListenerParams {
+    pub conversation_id: ConversationId,
+    #[serde(default)]
+    pub experimental_raw_events: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct RemoveConversationListenerParams {
+    #[schemars(with = "String")]
+    pub subscription_id: Uuid,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[serde(tag = "type", content = "data")]
+pub enum InputItem {
+    Text { text: String },
+    Image { image_url: String },
+    LocalImage { path: PathBuf },
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+/// Deprecated in favor of AccountLoginCompletedNotification.
+pub struct LoginChatGptCompleteNotification {
+    #[schemars(with = "String")]
+    pub login_id: Uuid,
+    pub success: bool,
+    pub error: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SessionConfiguredNotification {
+    pub session_id: ConversationId,
+    pub model: String,
+    pub reasoning_effort: Option<ReasoningEffort>,
+    pub history_log_id: u64,
+    #[ts(type = "number")]
+    pub history_entry_count: usize,
+    pub initial_messages: Option<Vec<EventMsg>>,
+    pub rollout_path: PathBuf,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+/// Deprecated notification. Use AccountUpdatedNotification instead.
+pub struct AuthStatusChangeNotification {
+    pub auth_method: Option<AuthMode>,
+}
--- a/codex-rs/app-server-protocol/src/protocol/v2.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2.rs
@@ -0,0 +1,710 @@
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+use crate::protocol::common::AuthMode;
+use codex_protocol::ConversationId;
+use codex_protocol::account::PlanType;
+use codex_protocol::config_types::ReasoningEffort;
+use codex_protocol::config_types::ReasoningSummary;
+use codex_protocol::protocol::RateLimitSnapshot as CoreRateLimitSnapshot;
+use codex_protocol::protocol::RateLimitWindow as CoreRateLimitWindow;
+use codex_protocol::user_input::UserInput as CoreUserInput;
+use mcp_types::ContentBlock as McpContentBlock;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use serde_json::Value as JsonValue;
+use ts_rs::TS;
+
+// Macro to declare a camelCased API v2 enum mirroring a core enum which
+// tends to use kebab-case.
+macro_rules! v2_enum_from_core {
+    (
+        pub enum $Name:ident from $Src:path { $( $Variant:ident ),+ $(,)? }
+    ) => {
+        #[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, TS)]
+        #[serde(rename_all = "camelCase")]
+        #[ts(export_to = "v2/")]
+        pub enum $Name { $( $Variant ),+ }
+
+        impl $Name {
+            pub fn to_core(self) -> $Src {
+                match self { $( $Name::$Variant => <$Src>::$Variant ),+ }
+            }
+        }
+
+        impl From<$Src> for $Name {
+            fn from(value: $Src) -> Self {
+                match value { $( <$Src>::$Variant => $Name::$Variant ),+ }
+            }
+        }
+    };
+}
+
+v2_enum_from_core!(
+    pub enum AskForApproval from codex_protocol::protocol::AskForApproval {
+        UnlessTrusted, OnFailure, OnRequest, Never
+    }
+);
+
+v2_enum_from_core!(
+    pub enum SandboxMode from codex_protocol::config_types::SandboxMode {
+        ReadOnly, WorkspaceWrite, DangerFullAccess
+    }
+);
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(tag = "mode", rename_all = "camelCase")]
+#[ts(tag = "mode")]
+#[ts(export_to = "v2/")]
+pub enum SandboxPolicy {
+    DangerFullAccess,
+    ReadOnly,
+    WorkspaceWrite {
+        #[serde(default)]
+        writable_roots: Vec<PathBuf>,
+        #[serde(default)]
+        network_access: bool,
+        #[serde(default)]
+        exclude_tmpdir_env_var: bool,
+        #[serde(default)]
+        exclude_slash_tmp: bool,
+    },
+}
+
+impl SandboxPolicy {
+    pub fn to_core(&self) -> codex_protocol::protocol::SandboxPolicy {
+        match self {
+            SandboxPolicy::DangerFullAccess => {
+                codex_protocol::protocol::SandboxPolicy::DangerFullAccess
+            }
+            SandboxPolicy::ReadOnly => codex_protocol::protocol::SandboxPolicy::ReadOnly,
+            SandboxPolicy::WorkspaceWrite {
+                writable_roots,
+                network_access,
+                exclude_tmpdir_env_var,
+                exclude_slash_tmp,
+            } => codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
+                writable_roots: writable_roots.clone(),
+                network_access: *network_access,
+                exclude_tmpdir_env_var: *exclude_tmpdir_env_var,
+                exclude_slash_tmp: *exclude_slash_tmp,
+            },
+        }
+    }
+}
+
+impl From<codex_protocol::protocol::SandboxPolicy> for SandboxPolicy {
+    fn from(value: codex_protocol::protocol::SandboxPolicy) -> Self {
+        match value {
+            codex_protocol::protocol::SandboxPolicy::DangerFullAccess => {
+                SandboxPolicy::DangerFullAccess
+            }
+            codex_protocol::protocol::SandboxPolicy::ReadOnly => SandboxPolicy::ReadOnly,
+            codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
+                writable_roots,
+                network_access,
+                exclude_tmpdir_env_var,
+                exclude_slash_tmp,
+            } => SandboxPolicy::WorkspaceWrite {
+                writable_roots,
+                network_access,
+                exclude_tmpdir_env_var,
+                exclude_slash_tmp,
+            },
+        }
+    }
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(tag = "type", rename_all = "camelCase")]
+#[ts(tag = "type")]
+#[ts(export_to = "v2/")]
+pub enum Account {
+    #[serde(rename = "apiKey", rename_all = "camelCase")]
+    #[ts(rename = "apiKey", rename_all = "camelCase")]
+    ApiKey {},
+
+    #[serde(rename = "chatgpt", rename_all = "camelCase")]
+    #[ts(rename = "chatgpt", rename_all = "camelCase")]
+    Chatgpt { email: String, plan_type: PlanType },
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(tag = "type")]
+#[ts(tag = "type")]
+#[ts(export_to = "v2/")]
+pub enum LoginAccountParams {
+    #[serde(rename = "apiKey", rename_all = "camelCase")]
+    #[ts(rename = "apiKey", rename_all = "camelCase")]
+    ApiKey {
+        #[serde(rename = "apiKey")]
+        #[ts(rename = "apiKey")]
+        api_key: String,
+    },
+    #[serde(rename = "chatgpt")]
+    #[ts(rename = "chatgpt")]
+    Chatgpt,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(tag = "type", rename_all = "camelCase")]
+#[ts(tag = "type")]
+#[ts(export_to = "v2/")]
+pub enum LoginAccountResponse {
+    #[serde(rename = "apiKey", rename_all = "camelCase")]
+    #[ts(rename = "apiKey", rename_all = "camelCase")]
+    ApiKey {},
+    #[serde(rename = "chatgpt", rename_all = "camelCase")]
+    #[ts(rename = "chatgpt", rename_all = "camelCase")]
+    Chatgpt {
+        // Use plain String for identifiers to avoid TS/JSON Schema quirks around uuid-specific types.
+        // Convert to/from UUIDs at the application layer as needed.
+        login_id: String,
+        /// URL the client should open in a browser to initiate the OAuth flow.
+        auth_url: String,
+    },
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct CancelLoginAccountParams {
+    pub login_id: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct CancelLoginAccountResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct LogoutAccountResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct GetAccountRateLimitsResponse {
+    pub rate_limits: RateLimitSnapshot,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct GetAccountParams {
+    #[serde(default)]
+    pub refresh_token: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct GetAccountResponse {
+    pub account: Option<Account>,
+    pub requires_openai_auth: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ModelListParams {
+    /// Opaque pagination cursor returned by a previous call.
+    pub cursor: Option<String>,
+    /// Optional page size; defaults to a reasonable server-side value.
+    pub limit: Option<u32>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct Model {
+    pub id: String,
+    pub model: String,
+    pub display_name: String,
+    pub description: String,
+    pub supported_reasoning_efforts: Vec<ReasoningEffortOption>,
+    pub default_reasoning_effort: ReasoningEffort,
+    // Only one model should be marked as default.
+    pub is_default: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ReasoningEffortOption {
+    pub reasoning_effort: ReasoningEffort,
+    pub description: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ModelListResponse {
+    pub data: Vec<Model>,
+    /// Opaque cursor to pass to the next call to continue after the last item.
+    /// If None, there are no more items to return.
+    pub next_cursor: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct FeedbackUploadParams {
+    pub classification: String,
+    pub reason: Option<String>,
+    pub conversation_id: Option<ConversationId>,
+    pub include_logs: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct FeedbackUploadResponse {
+    pub thread_id: String,
+}
+
+// === Threads, Turns, and Items ===
+// Thread APIs
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadStartParams {
+    pub model: Option<String>,
+    pub model_provider: Option<String>,
+    pub cwd: Option<String>,
+    pub approval_policy: Option<AskForApproval>,
+    pub sandbox: Option<SandboxMode>,
+    pub config: Option<HashMap<String, serde_json::Value>>,
+    pub base_instructions: Option<String>,
+    pub developer_instructions: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadStartResponse {
+    pub thread: Thread,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadResumeParams {
+    pub thread_id: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadResumeResponse {
+    pub thread: Thread,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadArchiveParams {
+    pub thread_id: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadArchiveResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadListParams {
+    /// Opaque pagination cursor returned by a previous call.
+    pub cursor: Option<String>,
+    /// Optional page size; defaults to a reasonable server-side value.
+    pub limit: Option<u32>,
+    /// Optional provider filter; when set, only sessions recorded under these
+    /// providers are returned. When present but empty, includes all providers.
+    pub model_providers: Option<Vec<String>>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadListResponse {
+    pub data: Vec<Thread>,
+    /// Opaque cursor to pass to the next call to continue after the last item.
+    /// if None, there are no more items to return.
+    pub next_cursor: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadCompactParams {
+    pub thread_id: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadCompactResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct Thread {
+    pub id: String,
+    /// Usually the first user message in the thread, if available.
+    pub preview: String,
+    pub model_provider: String,
+    /// Unix timestamp (in seconds) when the thread was created.
+    pub created_at: i64,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct AccountUpdatedNotification {
+    pub auth_mode: Option<AuthMode>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct Turn {
+    pub id: String,
+    pub items: Vec<ThreadItem>,
+    pub status: TurnStatus,
+    pub error: Option<TurnError>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct TurnError {
+    pub message: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub enum TurnStatus {
+    Completed,
+    Interrupted,
+    Failed,
+    InProgress,
+}
+
+// Turn APIs
+#[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct TurnStartParams {
+    pub thread_id: String,
+    pub input: Vec<UserInput>,
+    /// Override the working directory for this turn and subsequent turns.
+    pub cwd: Option<PathBuf>,
+    /// Override the approval policy for this turn and subsequent turns.
+    pub approval_policy: Option<AskForApproval>,
+    /// Override the sandbox policy for this turn and subsequent turns.
+    pub sandbox_policy: Option<SandboxPolicy>,
+    /// Override the model for this turn and subsequent turns.
+    pub model: Option<String>,
+    /// Override the reasoning effort for this turn and subsequent turns.
+    pub effort: Option<ReasoningEffort>,
+    /// Override the reasoning summary for this turn and subsequent turns.
+    pub summary: Option<ReasoningSummary>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct TurnStartResponse {
+    pub turn: Turn,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct TurnInterruptParams {
+    pub thread_id: String,
+    pub turn_id: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct TurnInterruptResponse {}
+
+// User input types
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(tag = "type", rename_all = "camelCase")]
+#[ts(tag = "type")]
+#[ts(export_to = "v2/")]
+pub enum UserInput {
+    Text { text: String },
+    Image { url: String },
+    LocalImage { path: PathBuf },
+}
+
+impl UserInput {
+    pub fn into_core(self) -> CoreUserInput {
+        match self {
+            UserInput::Text { text } => CoreUserInput::Text { text },
+            UserInput::Image { url } => CoreUserInput::Image { image_url: url },
+            UserInput::LocalImage { path } => CoreUserInput::LocalImage { path },
+        }
+    }
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(tag = "type", rename_all = "camelCase")]
+#[ts(tag = "type")]
+#[ts(export_to = "v2/")]
+pub enum ThreadItem {
+    UserMessage {
+        id: String,
+        content: Vec<UserInput>,
+    },
+    AgentMessage {
+        id: String,
+        text: String,
+    },
+    Reasoning {
+        id: String,
+        text: String,
+    },
+    CommandExecution {
+        id: String,
+        command: String,
+        aggregated_output: String,
+        exit_code: Option<i32>,
+        status: CommandExecutionStatus,
+        duration_ms: Option<i64>,
+    },
+    FileChange {
+        id: String,
+        changes: Vec<FileUpdateChange>,
+        status: PatchApplyStatus,
+    },
+    McpToolCall {
+        id: String,
+        server: String,
+        tool: String,
+        status: McpToolCallStatus,
+        arguments: JsonValue,
+        result: Option<McpToolCallResult>,
+        error: Option<McpToolCallError>,
+    },
+    WebSearch {
+        id: String,
+        query: String,
+    },
+    TodoList {
+        id: String,
+        items: Vec<TodoItem>,
+    },
+    ImageView {
+        id: String,
+        path: String,
+    },
+    CodeReview {
+        id: String,
+        review: String,
+    },
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub enum CommandExecutionStatus {
+    InProgress,
+    Completed,
+    Failed,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct FileUpdateChange {
+    pub path: String,
+    pub kind: PatchChangeKind,
+    pub diff: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub enum PatchChangeKind {
+    Add,
+    Delete,
+    Update,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub enum PatchApplyStatus {
+    Completed,
+    Failed,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub enum McpToolCallStatus {
+    InProgress,
+    Completed,
+    Failed,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct McpToolCallResult {
+    pub content: Vec<McpContentBlock>,
+    pub structured_content: JsonValue,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct McpToolCallError {
+    pub message: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct TodoItem {
+    pub id: String,
+    pub text: String,
+    pub completed: bool,
+}
+
+// === Server Notifications ===
+// Thread/Turn lifecycle notifications and item progress events
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadStartedNotification {
+    pub thread: Thread,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct TurnStartedNotification {
+    pub turn: Turn,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct Usage {
+    pub input_tokens: i32,
+    pub cached_input_tokens: i32,
+    pub output_tokens: i32,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct TurnCompletedNotification {
+    pub turn: Turn,
+    // TODO: should usage be stored on the Turn object, and we return that instead?
+    pub usage: Usage,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ItemStartedNotification {
+    pub item: ThreadItem,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ItemCompletedNotification {
+    pub item: ThreadItem,
+}
+
+// Item-specific progress notifications
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct AgentMessageDeltaNotification {
+    pub item_id: String,
+    pub delta: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct CommandExecutionOutputDeltaNotification {
+    pub item_id: String,
+    pub delta: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct McpToolCallProgressNotification {
+    pub item_id: String,
+    pub message: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct AccountRateLimitsUpdatedNotification {
+    pub rate_limits: RateLimitSnapshot,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct RateLimitSnapshot {
+    pub primary: Option<RateLimitWindow>,
+    pub secondary: Option<RateLimitWindow>,
+}
+
+impl From<CoreRateLimitSnapshot> for RateLimitSnapshot {
+    fn from(value: CoreRateLimitSnapshot) -> Self {
+        Self {
+            primary: value.primary.map(RateLimitWindow::from),
+            secondary: value.secondary.map(RateLimitWindow::from),
+        }
+    }
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct RateLimitWindow {
+    pub used_percent: i32,
+    pub window_duration_mins: Option<i64>,
+    pub resets_at: Option<i64>,
+}
+
+impl From<CoreRateLimitWindow> for RateLimitWindow {
+    fn from(value: CoreRateLimitWindow) -> Self {
+        Self {
+            used_percent: value.used_percent.round() as i32,
+            window_duration_mins: value.window_minutes,
+            resets_at: value.resets_at,
+        }
+    }
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct AccountLoginCompletedNotification {
+    // Use plain String for identifiers to avoid TS/JSON Schema quirks around uuid-specific types.
+    // Convert to/from UUIDs at the application layer as needed.
+    pub login_id: Option<String>,
+    pub success: bool,
+    pub error: Option<String>,
+}
--- a/codex-rs/app-server/README.md
+++ b/codex-rs/app-server/README.md
@@ -1,6 +1,6 @@
 # codex-app-server

-`codex app-server` is the harness Codex uses to power rich interfaces such as the [Codex VS Code extension](https://marketplace.visualstudio.com/items?itemName=openai.chatgpt). The message schema is currently unstable, but those who wish to build experimental UIs on top of Codex may find it valuable.
+`codex app-server` is the interface Codex uses to power rich interfaces such as the [Codex VS Code extension](https://marketplace.visualstudio.com/items?itemName=openai.chatgpt). The message schema is currently unstable, but those who wish to build experimental UIs on top of Codex may find it valuable.

 ## Protocol

@@ -13,3 +13,241 @@ Currently, you can dump a TypeScript version of the schema using `codex generate
 ```
 codex generate-ts --out DIR
 ```
+
+## Initialization
+
+Clients must send a single `initialize` request before invoking any other method, then acknowledge with an `initialized` notification. The server returns the user agent string it will present to upstream services; subsequent requests issued before initialization receive a `"Not initialized"` error, and repeated `initialize` calls receive an `"Already initialized"` error.
+
+Example:
+
+```json
+{ "method": "initialize", "id": 0, "params": {
+    "clientInfo": { "name": "codex-vscode", "title": "Codex VS Code Extension", "version": "0.1.0" }
+} }
+{ "id": 0, "result": { "userAgent": "codex-app-server/0.1.0 codex-vscode/0.1.0" } }
+{ "method": "initialized" }
+```
+
+## Core primitives
+
+We have 3 top level primitives:
+- Thread - a conversation between the Codex agent and a user. Each thread contains multiple turns.
+- Turn - one turn of the conversation, typically starting with a user message and finishing with an agent message. Each turn contains multiple items.
+- Item - represents user inputs and agent outputs as part of the turn, persisted and used as the context for future conversations.
+
+## Thread & turn endpoints
+
+The JSON-RPC API exposes dedicated methods for managing Codex conversations. Threads store long-lived conversation metadata, and turns store the per-message exchange (input → Codex output, including streamed items). Use the thread APIs to create, list, or archive sessions, then drive the conversation with turn APIs and notifications.
+
+### Quick reference
+- `thread/start` — create a new thread; emits `thread/started` and auto-subscribes you to turn/item events for that thread.
+- `thread/resume` — reopen an existing thread by id so subsequent `turn/start` calls append to it.
+- `thread/list` — page through stored rollouts; supports cursor-based pagination and optional `modelProviders` filtering.
+- `thread/archive` — move a thread’s rollout file into the archived directory; returns `{}` on success.
+- `turn/start` — add user input to a thread and begin Codex generation; responds with the initial `turn` object and streams `turn/started`, `item/*`, and `turn/completed` notifications.
+- `turn/interrupt` — request cancellation of an in-flight turn by `(thread_id, turn_id)`; success is an empty `{}` response and the turn finishes with `status: "interrupted"`.
+
+### 1) Start or resume a thread
+
+Start a fresh thread when you need a new Codex conversation. Optional fields mirror CLI defaults: set `model`, `modelProvider`, `cwd`, `approvalPolicy`, `sandbox`, or custom `config` values. Instructions can be set via `baseInstructions` and `developerInstructions`:
+
+```json
+{ "method": "thread/start", "id": 10, "params": {
+    "model": "gpt-5-codex",
+    "cwd": "/Users/me/project",
+    "approvalPolicy": "never",
+    "sandbox": "workspace-write",
+    "baseInstructions": "You're helping with refactors."
+} }
+{ "id": 10, "result": {
+    "thread": {
+        "id": "thr_123",
+        "preview": "",
+        "modelProvider": "openai",
+        "createdAt": 1730910000
+    }
+} }
+{ "method": "thread/started", "params": { "thread": { … } } }
+```
+
+To continue a stored session, call `thread/resume` with the `thread.id` you previously recorded. The response shape matches `thread/start`, and no additional notifications are emitted:
+
+```json
+{ "method": "thread/resume", "id": 11, "params": { "threadId": "thr_123" } }
+{ "id": 11, "result": { "thread": { "id": "thr_123", … } } }
+```
+
+### 2) List threads (pagination & filters)
+
+`thread/list` lets you render a history UI. Pass any combination of:
+- `cursor` — opaque string from a prior response; omit for the first page.
+- `limit` — server defaults to a reasonable page size if unset.
+- `modelProviders` — restrict results to specific providers; unset, null, or an empty array will include all providers.
+
+Example:
+
+```json
+{ "method": "thread/list", "id": 20, "params": {
+    "cursor": null,
+    "limit": 25,
+    "modelProviders": ["openai"]
+} }
+{ "id": 20, "result": {
+    "data": [
+        { "id": "thr_a", "preview": "Create a TUI", "modelProvider": "openai", "createdAt": 1730831111 },
+        { "id": "thr_b", "preview": "Fix tests", "modelProvider": "openai", "createdAt": 1730750000 }
+    ],
+    "nextCursor": "opaque-token-or-null"
+} }
+```
+
+When `nextCursor` is `null`, you’ve reached the final page.
+
+### 3) Archive a thread
+
+Use `thread/archive` to move the persisted rollout (stored as a JSONL file on disk) into the archived sessions directory.
+
+```json
+{ "method": "thread/archive", "id": 21, "params": { "threadId": "thr_b" } }
+{ "id": 21, "result": {} }
+```
+
+An archived thread will not appear in future calls to `thread/list`.
+
+### 4) Start a turn (send user input)
+
+Turns attach user input (text or images) to a thread and trigger Codex generation. The `input` field is a list of discriminated unions:
+
+- `{"type":"text","text":"Explain this diff"}`
+- `{"type":"image","url":"https://…png"}`
+- `{"type":"localImage","path":"/tmp/screenshot.png"}`
+
+Override knobs apply to the new turn and become the defaults for subsequent turns on the same thread:
+
+```json
+{ "method": "turn/start", "id": 30, "params": {
+    "threadId": "thr_123",
+    "input": [ { "type": "text", "text": "Run tests" } ],
+    "cwd": "/Users/me/project",
+    "approvalPolicy": "untrusted",
+    "sandboxPolicy": "workspace-write",
+    "model": "gpt-5-codex",
+    "effort": "medium",
+    "summary": "focus-on-test-failures"
+} }
+{ "id": 30, "result": { "turn": {
+    "id": "turn_456",
+    "status": "inProgress",
+    "items": [],
+    "error": null
+} } }
+```
+
+### 5) Interrupt an active turn
+
+You can cancel a running Turn with `turn/interrupt`.
+
+```json
+{ "method": "turn/interrupt", "id": 31, "params": {
+    "threadId": "thr_123",
+    "turnId": "turn_456"
+} }
+{ "id": 31, "result": {} }
+```
+
+The server requests cancellations for running subprocesses, then emits a `turn/completed` event with `status: "interrupted"`. Rely on the `turn/completed` to know when Codex-side cleanup is done.
+
+## Auth endpoints
+
+The v2 JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.
+
+### Quick reference
+- `account/read` — fetch current account info; optionally refresh tokens.
+- `account/login/start` — begin login (`apiKey` or `chatgpt`).
+- `account/login/completed` (notify) — emitted when a login attempt finishes (success or error).
+- `account/login/cancel` — cancel a pending ChatGPT login by `loginId`.
+- `account/logout` — sign out; triggers `account/updated`.
+- `account/updated` (notify) — emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, or `null`).
+- `account/rateLimits/read` — fetch ChatGPT rate limits; updates arrive via `account/rateLimits/updated` (notify).
+
+### 1) Check auth state
+
+Request:
+```json
+{ "method": "account/read", "id": 1, "params": { "refreshToken": false } }
+```
+
+Response examples:
+```json
+{ "id": 1, "result": { "account": null, "requiresOpenaiAuth": false } } // No OpenAI auth needed (e.g., OSS/local models)
+{ "id": 1, "result": { "account": null, "requiresOpenaiAuth": true } }  // OpenAI auth required (typical for OpenAI-hosted models)
+{ "id": 1, "result": { "account": { "type": "apiKey" }, "requiresOpenaiAuth": true } }
+{ "id": 1, "result": { "account": { "type": "chatgpt", "email": "user@example.com", "planType": "pro" }, "requiresOpenaiAuth": true } }
+```
+
+Field notes:
+- `refreshToken` (bool): set `true` to force a token refresh.
+- `requiresOpenaiAuth` reflects the active provider; when `false`, Codex can run without OpenAI credentials.
+
+### 2) Log in with an API key
+
+1. Send:
+   ```json
+   { "method": "account/login/start", "id": 2, "params": { "type": "apiKey", "apiKey": "sk-…" } }
+   ```
+2. Expect:
+   ```json
+   { "id": 2, "result": { "type": "apiKey" } }
+   ```
+3. Notifications:
+   ```json
+   { "method": "account/login/completed", "params": { "loginId": null, "success": true, "error": null } }
+   { "method": "account/updated", "params": { "authMode": "apikey" } }
+   ```
+
+### 3) Log in with ChatGPT (browser flow)
+
+1. Start:
+   ```json
+   { "method": "account/login/start", "id": 3, "params": { "type": "chatgpt" } }
+   { "id": 3, "result": { "type": "chatgpt", "loginId": "<uuid>", "authUrl": "https://chatgpt.com/…&redirect_uri=http%3A%2F%2Flocalhost%3A<port>%2Fauth%2Fcallback" } }
+   ```
+2. Open `authUrl` in a browser; the app-server hosts the local callback.
+3. Wait for notifications:
+   ```json
+   { "method": "account/login/completed", "params": { "loginId": "<uuid>", "success": true, "error": null } }
+   { "method": "account/updated", "params": { "authMode": "chatgpt" } }
+   ```
+
+### 4) Cancel a ChatGPT login
+
+```json
+{ "method": "account/login/cancel", "id": 4, "params": { "loginId": "<uuid>" } }
+{ "method": "account/login/completed", "params": { "loginId": "<uuid>", "success": false, "error": "…" } }
+```
+
+### 5) Logout
+
+```json
+{ "method": "account/logout", "id": 5 }
+{ "id": 5, "result": {} }
+{ "method": "account/updated", "params": { "authMode": null } }
+```
+
+### 6) Rate limits (ChatGPT)
+
+```json
+{ "method": "account/rateLimits/read", "id": 6 }
+{ "id": 6, "result": { "rateLimits": { "primary": { "usedPercent": 25, "windowDurationMins": 15, "resetsAt": 1730947200 }, "secondary": null } } }
+{ "method": "account/rateLimits/updated", "params": { "rateLimits": { … } } }
+```
+
+Field notes:
+- `usedPercent` is current usage within the OpenAI quota window.
+- `windowDurationMins` is the quota window length.
+- `resetsAt` is a Unix timestamp (seconds) for the next reset.
+
+### Dev notes
+
+- `codex generate-ts --out <dir>` emits v2 types under `v2/`.
+- See [“Authentication and authorization” in the config docs](../../docs/config.md#authentication-and-authorization) for configuration knobs.
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
--- a/codex-rs/app-server/src/message_processor.rs
+++ b/codex-rs/app-server/src/message_processor.rs
@@ -64,64 +64,79 @@ impl MessageProcessor {

    pub(crate) async fn process_request(&mut self, request: JSONRPCRequest) {
        let request_id = request.id.clone();
-        if let Ok(request_json) = serde_json::to_value(request)
-            && let Ok(codex_request) = serde_json::from_value::<ClientRequest>(request_json)
-        {
-            match codex_request {
-                // Handle Initialize internally so CodexMessageProcessor does not have to concern
-                // itself with the `initialized` bool.
-                ClientRequest::Initialize { request_id, params } => {
-                    if self.initialized {
-                        let error = JSONRPCErrorError {
-                            code: INVALID_REQUEST_ERROR_CODE,
-                            message: "Already initialized".to_string(),
-                            data: None,
-                        };
-                        self.outgoing.send_error(request_id, error).await;
-                        return;
-                    } else {
-                        let ClientInfo {
-                            name,
-                            title: _title,
-                            version,
-                        } = params.client_info;
-                        let user_agent_suffix = format!("{name}; {version}");
-                        if let Ok(mut suffix) = USER_AGENT_SUFFIX.lock() {
-                            *suffix = Some(user_agent_suffix);
-                        }
+        let request_json = match serde_json::to_value(&request) {
+            Ok(request_json) => request_json,
+            Err(err) => {
+                let error = JSONRPCErrorError {
+                    code: INVALID_REQUEST_ERROR_CODE,
+                    message: format!("Invalid request: {err}"),
+                    data: None,
+                };
+                self.outgoing.send_error(request_id, error).await;
+                return;
+            }
+        };

-                        let user_agent = get_codex_user_agent();
-                        let response = InitializeResponse { user_agent };
-                        self.outgoing.send_response(request_id, response).await;
+        let codex_request = match serde_json::from_value::<ClientRequest>(request_json) {
+            Ok(codex_request) => codex_request,
+            Err(err) => {
+                let error = JSONRPCErrorError {
+                    code: INVALID_REQUEST_ERROR_CODE,
+                    message: format!("Invalid request: {err}"),
+                    data: None,
+                };
+                self.outgoing.send_error(request_id, error).await;
+                return;
+            }
+        };

-                        self.initialized = true;
-                        return;
-                    }
-                }
-                _ => {
-                    if !self.initialized {
-                        let error = JSONRPCErrorError {
-                            code: INVALID_REQUEST_ERROR_CODE,
-                            message: "Not initialized".to_string(),
-                            data: None,
-                        };
-                        self.outgoing.send_error(request_id, error).await;
-                        return;
+        match codex_request {
+            // Handle Initialize internally so CodexMessageProcessor does not have to concern
+            // itself with the `initialized` bool.
+            ClientRequest::Initialize { request_id, params } => {
+                if self.initialized {
+                    let error = JSONRPCErrorError {
+                        code: INVALID_REQUEST_ERROR_CODE,
+                        message: "Already initialized".to_string(),
+                        data: None,
+                    };
+                    self.outgoing.send_error(request_id, error).await;
+                    return;
+                } else {
+                    let ClientInfo {
+                        name,
+                        title: _title,
+                        version,
+                    } = params.client_info;
+                    let user_agent_suffix = format!("{name}; {version}");
+                    if let Ok(mut suffix) = USER_AGENT_SUFFIX.lock() {
+                        *suffix = Some(user_agent_suffix);
                    }
+
+                    let user_agent = get_codex_user_agent();
+                    let response = InitializeResponse { user_agent };
+                    self.outgoing.send_response(request_id, response).await;
+
+                    self.initialized = true;
+                    return;
+                }
+            }
+            _ => {
+                if !self.initialized {
+                    let error = JSONRPCErrorError {
+                        code: INVALID_REQUEST_ERROR_CODE,
+                        message: "Not initialized".to_string(),
+                        data: None,
+                    };
+                    self.outgoing.send_error(request_id, error).await;
+                    return;
                }
            }
-
-            self.codex_message_processor
-                .process_request(codex_request)
-                .await;
-        } else {
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: "Invalid request".to_string(),
-                data: None,
-            };
-            self.outgoing.send_error(request_id, error).await;
        }
+
+        self.codex_message_processor
+            .process_request(codex_request)
+            .await;
    }

    pub(crate) async fn process_notification(&self, notification: JSONRPCNotification) {
--- a/codex-rs/app-server/src/models.rs
+++ b/codex-rs/app-server/src/models.rs
@@ -1,11 +1,12 @@
+use codex_app_server_protocol::AuthMode;
 use codex_app_server_protocol::Model;
 use codex_app_server_protocol::ReasoningEffortOption;
 use codex_common::model_presets::ModelPreset;
 use codex_common::model_presets::ReasoningEffortPreset;
 use codex_common::model_presets::builtin_model_presets;

-pub fn supported_models() -> Vec<Model> {
-    builtin_model_presets(None)
+pub fn supported_models(auth_mode: Option<AuthMode>) -> Vec<Model> {
+    builtin_model_presets(auth_mode)
        .into_iter()
        .map(model_from_preset)
        .collect()
--- a/codex-rs/app-server/src/outgoing_message.rs
+++ b/codex-rs/app-server/src/outgoing_message.rs
@@ -141,9 +141,13 @@ pub(crate) struct OutgoingError {

 #[cfg(test)]
 mod tests {
+    use codex_app_server_protocol::AccountLoginCompletedNotification;
+    use codex_app_server_protocol::AccountRateLimitsUpdatedNotification;
+    use codex_app_server_protocol::AccountUpdatedNotification;
+    use codex_app_server_protocol::AuthMode;
    use codex_app_server_protocol::LoginChatGptCompleteNotification;
-    use codex_protocol::protocol::RateLimitSnapshot;
-    use codex_protocol::protocol::RateLimitWindow;
+    use codex_app_server_protocol::RateLimitSnapshot;
+    use codex_app_server_protocol::RateLimitWindow;
    use pretty_assertions::assert_eq;
    use serde_json::json;
    use uuid::Uuid;
@@ -176,27 +180,77 @@ mod tests {
    }

    #[test]
-    fn verify_account_rate_limits_notification_serialization() {
-        let notification = ServerNotification::AccountRateLimitsUpdated(RateLimitSnapshot {
-            primary: Some(RateLimitWindow {
-                used_percent: 25.0,
-                window_minutes: Some(15),
-                resets_at: Some(123),
+    fn verify_account_login_completed_notification_serialization() {
+        let notification =
+            ServerNotification::AccountLoginCompleted(AccountLoginCompletedNotification {
+                login_id: Some(Uuid::nil().to_string()),
+                success: true,
+                error: None,
+            });
+
+        let jsonrpc_notification = OutgoingMessage::AppServerNotification(notification);
+        assert_eq!(
+            json!({
+                "method": "account/login/completed",
+                "params": {
+                    "loginId": Uuid::nil().to_string(),
+                    "success": true,
+                    "error": null,
+                },
            }),
-            secondary: None,
-        });
+            serde_json::to_value(jsonrpc_notification)
+                .expect("ensure the notification serializes correctly"),
+            "ensure the notification serializes correctly"
+        );
+    }
+
+    #[test]
+    fn verify_account_rate_limits_notification_serialization() {
+        let notification =
+            ServerNotification::AccountRateLimitsUpdated(AccountRateLimitsUpdatedNotification {
+                rate_limits: RateLimitSnapshot {
+                    primary: Some(RateLimitWindow {
+                        used_percent: 25,
+                        window_duration_mins: Some(15),
+                        resets_at: Some(123),
+                    }),
+                    secondary: None,
+                },
+            });

        let jsonrpc_notification = OutgoingMessage::AppServerNotification(notification);
        assert_eq!(
            json!({
                "method": "account/rateLimits/updated",
                "params": {
-                    "primary": {
-                        "used_percent": 25.0,
-                        "window_minutes": 15,
-                        "resets_at": 123,
-                    },
-                    "secondary": null,
+                    "rateLimits": {
+                        "primary": {
+                            "usedPercent": 25,
+                            "windowDurationMins": 15,
+                            "resetsAt": 123
+                        },
+                        "secondary": null
+                    }
+                },
+            }),
+            serde_json::to_value(jsonrpc_notification)
+                .expect("ensure the notification serializes correctly"),
+            "ensure the notification serializes correctly"
+        );
+    }
+
+    #[test]
+    fn verify_account_updated_notification_serialization() {
+        let notification = ServerNotification::AccountUpdated(AccountUpdatedNotification {
+            auth_mode: Some(AuthMode::ApiKey),
+        });
+
+        let jsonrpc_notification = OutgoingMessage::AppServerNotification(notification);
+        assert_eq!(
+            json!({
+                "method": "account/updated",
+                "params": {
+                    "authMode": "apikey"
                },
            }),
            serde_json::to_value(jsonrpc_notification)
--- a/codex-rs/app-server/tests/common/Cargo.toml
+++ b/codex-rs/app-server/tests/common/Cargo.toml
@@ -13,6 +13,7 @@ base64 = { workspace = true }
 chrono = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-core = { workspace = true }
+codex-protocol = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 tokio = { workspace = true, features = [
@@ -21,4 +22,5 @@ tokio = { workspace = true, features = [
    "process",
    "rt-multi-thread",
 ] }
+uuid = { workspace = true }
 wiremock = { workspace = true }
--- a/codex-rs/app-server/tests/common/lib.rs
+++ b/codex-rs/app-server/tests/common/lib.rs
@@ -2,6 +2,7 @@ mod auth_fixtures;
 mod mcp_process;
 mod mock_model_server;
 mod responses;
+mod rollout;

 pub use auth_fixtures::ChatGptAuthFixture;
 pub use auth_fixtures::ChatGptIdTokenClaims;
@@ -10,9 +11,11 @@ pub use auth_fixtures::write_chatgpt_auth;
 use codex_app_server_protocol::JSONRPCResponse;
 pub use mcp_process::McpProcess;
 pub use mock_model_server::create_mock_chat_completions_server;
+pub use mock_model_server::create_mock_chat_completions_server_unchecked;
 pub use responses::create_apply_patch_sse_response;
 pub use responses::create_final_assistant_message_sse_response;
 pub use responses::create_shell_sse_response;
+pub use rollout::create_fake_rollout;
 use serde::de::DeserializeOwned;

 pub fn to_response<T: DeserializeOwned>(response: JSONRPCResponse) -> anyhow::Result<T> {
--- a/codex-rs/app-server/tests/common/mcp_process.rs
+++ b/codex-rs/app-server/tests/common/mcp_process.rs
@@ -14,30 +14,37 @@ use anyhow::Context;
 use assert_cmd::prelude::*;
 use codex_app_server_protocol::AddConversationListenerParams;
 use codex_app_server_protocol::ArchiveConversationParams;
+use codex_app_server_protocol::CancelLoginAccountParams;
 use codex_app_server_protocol::CancelLoginChatGptParams;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::ClientNotification;
+use codex_app_server_protocol::FeedbackUploadParams;
+use codex_app_server_protocol::GetAccountParams;
 use codex_app_server_protocol::GetAuthStatusParams;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::InterruptConversationParams;
-use codex_app_server_protocol::ListConversationsParams;
-use codex_app_server_protocol::ListModelsParams;
-use codex_app_server_protocol::LoginApiKeyParams;
-use codex_app_server_protocol::NewConversationParams;
-use codex_app_server_protocol::RemoveConversationListenerParams;
-use codex_app_server_protocol::ResumeConversationParams;
-use codex_app_server_protocol::SendUserMessageParams;
-use codex_app_server_protocol::SendUserTurnParams;
-use codex_app_server_protocol::ServerRequest;
-use codex_app_server_protocol::SetDefaultModelParams;
-use codex_app_server_protocol::UploadFeedbackParams;
-
 use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCMessage;
 use codex_app_server_protocol::JSONRPCNotification;
 use codex_app_server_protocol::JSONRPCRequest;
 use codex_app_server_protocol::JSONRPCResponse;
+use codex_app_server_protocol::ListConversationsParams;
+use codex_app_server_protocol::LoginApiKeyParams;
+use codex_app_server_protocol::ModelListParams;
+use codex_app_server_protocol::NewConversationParams;
+use codex_app_server_protocol::RemoveConversationListenerParams;
 use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::ResumeConversationParams;
+use codex_app_server_protocol::SendUserMessageParams;
+use codex_app_server_protocol::SendUserTurnParams;
+use codex_app_server_protocol::ServerRequest;
+use codex_app_server_protocol::SetDefaultModelParams;
+use codex_app_server_protocol::ThreadArchiveParams;
+use codex_app_server_protocol::ThreadListParams;
+use codex_app_server_protocol::ThreadResumeParams;
+use codex_app_server_protocol::ThreadStartParams;
+use codex_app_server_protocol::TurnInterruptParams;
+use codex_app_server_protocol::TurnStartParams;
 use std::process::Command as StdCommand;
 use tokio::process::Command;

@@ -243,10 +250,19 @@ impl McpProcess {
        self.send_request("account/rateLimits/read", None).await
    }

-    /// Send a `feedback/upload` JSON-RPC request.
-    pub async fn send_upload_feedback_request(
+    /// Send an `account/read` JSON-RPC request.
+    pub async fn send_get_account_request(
        &mut self,
-        params: UploadFeedbackParams,
+        params: GetAccountParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("account/read", params).await
+    }
+
+    /// Send a `feedback/upload` JSON-RPC request.
+    pub async fn send_feedback_upload_request(
+        &mut self,
+        params: FeedbackUploadParams,
    ) -> anyhow::Result<i64> {
        let params = Some(serde_json::to_value(params)?);
        self.send_request("feedback/upload", params).await
@@ -275,10 +291,46 @@ impl McpProcess {
        self.send_request("listConversations", params).await
    }

+    /// Send a `thread/start` JSON-RPC request.
+    pub async fn send_thread_start_request(
+        &mut self,
+        params: ThreadStartParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("thread/start", params).await
+    }
+
+    /// Send a `thread/resume` JSON-RPC request.
+    pub async fn send_thread_resume_request(
+        &mut self,
+        params: ThreadResumeParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("thread/resume", params).await
+    }
+
+    /// Send a `thread/archive` JSON-RPC request.
+    pub async fn send_thread_archive_request(
+        &mut self,
+        params: ThreadArchiveParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("thread/archive", params).await
+    }
+
+    /// Send a `thread/list` JSON-RPC request.
+    pub async fn send_thread_list_request(
+        &mut self,
+        params: ThreadListParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("thread/list", params).await
+    }
+
    /// Send a `model/list` JSON-RPC request.
    pub async fn send_list_models_request(
        &mut self,
-        params: ListModelsParams,
+        params: ModelListParams,
    ) -> anyhow::Result<i64> {
        let params = Some(serde_json::to_value(params)?);
        self.send_request("model/list", params).await
@@ -307,6 +359,24 @@ impl McpProcess {
        self.send_request("loginChatGpt", None).await
    }

+    /// Send a `turn/start` JSON-RPC request (v2).
+    pub async fn send_turn_start_request(
+        &mut self,
+        params: TurnStartParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("turn/start", params).await
+    }
+
+    /// Send a `turn/interrupt` JSON-RPC request (v2).
+    pub async fn send_turn_interrupt_request(
+        &mut self,
+        params: TurnInterruptParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("turn/interrupt", params).await
+    }
+
    /// Send a `cancelLoginChatGpt` JSON-RPC request.
    pub async fn send_cancel_login_chat_gpt_request(
        &mut self,
@@ -321,6 +391,40 @@ impl McpProcess {
        self.send_request("logoutChatGpt", None).await
    }

+    /// Send an `account/logout` JSON-RPC request.
+    pub async fn send_logout_account_request(&mut self) -> anyhow::Result<i64> {
+        self.send_request("account/logout", None).await
+    }
+
+    /// Send an `account/login/start` JSON-RPC request for API key login.
+    pub async fn send_login_account_api_key_request(
+        &mut self,
+        api_key: &str,
+    ) -> anyhow::Result<i64> {
+        let params = serde_json::json!({
+            "type": "apiKey",
+            "apiKey": api_key,
+        });
+        self.send_request("account/login/start", Some(params)).await
+    }
+
+    /// Send an `account/login/start` JSON-RPC request for ChatGPT login.
+    pub async fn send_login_account_chatgpt_request(&mut self) -> anyhow::Result<i64> {
+        let params = serde_json::json!({
+            "type": "chatgpt"
+        });
+        self.send_request("account/login/start", Some(params)).await
+    }
+
+    /// Send an `account/login/cancel` JSON-RPC request.
+    pub async fn send_cancel_login_account_request(
+        &mut self,
+        params: CancelLoginAccountParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("account/login/cancel", params).await
+    }
+
    /// Send a `fuzzyFileSearch` JSON-RPC request.
    pub async fn send_fuzzy_file_search_request(
        &mut self,
--- a/codex-rs/app-server/tests/common/mock_model_server.rs
+++ b/codex-rs/app-server/tests/common/mock_model_server.rs
@@ -29,6 +29,25 @@ pub async fn create_mock_chat_completions_server(responses: Vec<String>) -> Mock
    server
 }

+/// Same as `create_mock_chat_completions_server` but does not enforce an
+/// expectation on the number of calls.
+pub async fn create_mock_chat_completions_server_unchecked(responses: Vec<String>) -> MockServer {
+    let server = MockServer::start().await;
+
+    let seq_responder = SeqResponder {
+        num_calls: AtomicUsize::new(0),
+        responses,
+    };
+
+    Mock::given(method("POST"))
+        .and(path("/v1/chat/completions"))
+        .respond_with(seq_responder)
+        .mount(&server)
+        .await;
+
+    server
+}
+
 struct SeqResponder {
    num_calls: AtomicUsize,
    responses: Vec<String>,
--- a/codex-rs/app-server/tests/common/rollout.rs
+++ b/codex-rs/app-server/tests/common/rollout.rs
@@ -0,0 +1,82 @@
+use anyhow::Result;
+use codex_protocol::ConversationId;
+use codex_protocol::protocol::SessionMeta;
+use codex_protocol::protocol::SessionSource;
+use serde_json::json;
+use std::fs;
+use std::path::Path;
+use std::path::PathBuf;
+use uuid::Uuid;
+
+/// Create a minimal rollout file under `CODEX_HOME/sessions/YYYY/MM/DD/`.
+///
+/// - `filename_ts` is the filename timestamp component in `YYYY-MM-DDThh-mm-ss` format.
+/// - `meta_rfc3339` is the envelope timestamp used in JSON lines.
+/// - `preview` is the user message preview text.
+/// - `model_provider` optionally sets the provider in the session meta payload.
+///
+/// Returns the generated conversation/session UUID as a string.
+pub fn create_fake_rollout(
+    codex_home: &Path,
+    filename_ts: &str,
+    meta_rfc3339: &str,
+    preview: &str,
+    model_provider: Option<&str>,
+) -> Result<String> {
+    let uuid = Uuid::new_v4();
+    let uuid_str = uuid.to_string();
+    let conversation_id = ConversationId::from_string(&uuid_str)?;
+
+    // sessions/YYYY/MM/DD derived from filename_ts (YYYY-MM-DDThh-mm-ss)
+    let year = &filename_ts[0..4];
+    let month = &filename_ts[5..7];
+    let day = &filename_ts[8..10];
+    let dir = codex_home.join("sessions").join(year).join(month).join(day);
+    fs::create_dir_all(&dir)?;
+
+    let file_path = dir.join(format!("rollout-{filename_ts}-{uuid}.jsonl"));
+
+    // Build JSONL lines
+    let payload = serde_json::to_value(SessionMeta {
+        id: conversation_id,
+        timestamp: meta_rfc3339.to_string(),
+        cwd: PathBuf::from("/"),
+        originator: "codex".to_string(),
+        cli_version: "0.0.0".to_string(),
+        instructions: None,
+        source: SessionSource::Cli,
+        model_provider: model_provider.map(str::to_string),
+    })?;
+
+    let lines = [
+        json!({
+            "timestamp": meta_rfc3339,
+            "type": "session_meta",
+            "payload": payload
+        })
+        .to_string(),
+        json!({
+            "timestamp": meta_rfc3339,
+            "type":"response_item",
+            "payload": {
+                "type":"message",
+                "role":"user",
+                "content":[{"type":"input_text","text": preview}]
+            }
+        })
+        .to_string(),
+        json!({
+            "timestamp": meta_rfc3339,
+            "type":"event_msg",
+            "payload": {
+                "type":"user_message",
+                "message": preview,
+                "kind": "plain"
+            }
+        })
+        .to_string(),
+    ];
+
+    fs::write(file_path, lines.join("\n") + "\n")?;
+    Ok(uuid_str)
+}
--- a/codex-rs/app-server/tests/suite/archive_conversation.rs
+++ b/codex-rs/app-server/tests/suite/archive_conversation.rs
@@ -12,7 +12,7 @@ use std::path::Path;
 use tempfile::TempDir;
 use tokio::time::timeout;

-const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(20);

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn archive_conversation_moves_rollout_into_archived_directory() -> Result<()> {
--- a/codex-rs/app-server/tests/suite/interrupt.rs
+++ b/codex-rs/app-server/tests/suite/interrupt.rs
@@ -146,7 +146,7 @@ fn create_config_toml(codex_home: &Path, server_uri: String) -> std::io::Result<
            r#"
 model = "mock-model"
 approval_policy = "never"
-sandbox_mode = "danger-full-access"
+sandbox_mode = "read-only"

 model_provider = "mock_provider"

--- a/codex-rs/app-server/tests/suite/list_resume.rs
+++ b/codex-rs/app-server/tests/suite/list_resume.rs
@@ -1,5 +1,6 @@
 use anyhow::Result;
 use app_test_support::McpProcess;
+use app_test_support::create_fake_rollout;
 use app_test_support::to_response;
 use codex_app_server_protocol::JSONRPCNotification;
 use codex_app_server_protocol::JSONRPCResponse;
@@ -15,12 +16,8 @@ use codex_core::protocol::EventMsg;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
 use pretty_assertions::assert_eq;
-use serde_json::json;
-use std::fs;
-use std::path::Path;
 use tempfile::TempDir;
 use tokio::time::timeout;
-use uuid::Uuid;

 const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);

@@ -357,70 +354,3 @@ async fn test_list_and_resume_conversations() -> Result<()> {

    Ok(())
 }
-
-fn create_fake_rollout(
-    codex_home: &Path,
-    filename_ts: &str,
-    meta_rfc3339: &str,
-    preview: &str,
-    model_provider: Option<&str>,
-) -> Result<()> {
-    let uuid = Uuid::new_v4();
-    // sessions/YYYY/MM/DD/ derived from filename_ts (YYYY-MM-DDThh-mm-ss)
-    let year = &filename_ts[0..4];
-    let month = &filename_ts[5..7];
-    let day = &filename_ts[8..10];
-    let dir = codex_home.join("sessions").join(year).join(month).join(day);
-    fs::create_dir_all(&dir)?;
-
-    let file_path = dir.join(format!("rollout-{filename_ts}-{uuid}.jsonl"));
-    let mut lines = Vec::new();
-    // Meta line with timestamp (flattened meta in payload for new schema)
-    let mut payload = json!({
-        "id": uuid,
-        "timestamp": meta_rfc3339,
-        "cwd": "/",
-        "originator": "codex",
-        "cli_version": "0.0.0",
-        "instructions": null,
-    });
-    if let Some(provider) = model_provider {
-        payload["model_provider"] = json!(provider);
-    }
-    lines.push(
-        json!({
-            "timestamp": meta_rfc3339,
-            "type": "session_meta",
-            "payload": payload
-        })
-        .to_string(),
-    );
-    // Minimal user message entry as a persisted response item (with envelope timestamp)
-    lines.push(
-        json!({
-            "timestamp": meta_rfc3339,
-            "type":"response_item",
-            "payload": {
-                "type":"message",
-                "role":"user",
-                "content":[{"type":"input_text","text": preview}]
-            }
-        })
-        .to_string(),
-    );
-    // Add a matching user message event line to satisfy filters
-    lines.push(
-        json!({
-            "timestamp": meta_rfc3339,
-            "type":"event_msg",
-            "payload": {
-                "type":"user_message",
-                "message": preview,
-                "kind": "plain"
-            }
-        })
-        .to_string(),
-    );
-    fs::write(file_path, lines.join("\n") + "\n")?;
-    Ok(())
-}
--- a/codex-rs/app-server/tests/suite/mod.rs
+++ b/codex-rs/app-server/tests/suite/mod.rs
@@ -7,9 +7,8 @@ mod fuzzy_file_search;
 mod interrupt;
 mod list_resume;
 mod login;
-mod model_list;
-mod rate_limits;
 mod send_message;
 mod set_default_model;
 mod user_agent;
 mod user_info;
+mod v2;
--- a/codex-rs/app-server/tests/suite/send_message.rs
+++ b/codex-rs/app-server/tests/suite/send_message.rs
@@ -313,10 +313,11 @@ fn assert_instructions_message(item: &ResponseItem) {
        ResponseItem::Message { role, content, .. } => {
            assert_eq!(role, "user");
            let texts = content_texts(content);
+            let is_instructions = texts
+                .iter()
+                .any(|text| text.starts_with("# AGENTS.md instructions for "));
            assert!(
-                texts
-                    .iter()
-                    .any(|text| text.contains("<user_instructions>")),
+                is_instructions,
                "expected instructions message, got {texts:?}"
            );
        }
--- a/codex-rs/app-server/tests/suite/v2/account.rs
+++ b/codex-rs/app-server/tests/suite/v2/account.rs
@@ -0,0 +1,492 @@
+use anyhow::Result;
+use anyhow::bail;
+use app_test_support::McpProcess;
+use app_test_support::to_response;
+
+use app_test_support::ChatGptAuthFixture;
+use app_test_support::write_chatgpt_auth;
+use codex_app_server_protocol::Account;
+use codex_app_server_protocol::AuthMode;
+use codex_app_server_protocol::CancelLoginAccountParams;
+use codex_app_server_protocol::CancelLoginAccountResponse;
+use codex_app_server_protocol::GetAccountParams;
+use codex_app_server_protocol::GetAccountResponse;
+use codex_app_server_protocol::JSONRPCError;
+use codex_app_server_protocol::JSONRPCResponse;
+use codex_app_server_protocol::LoginAccountResponse;
+use codex_app_server_protocol::LogoutAccountResponse;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::ServerNotification;
+use codex_core::auth::AuthCredentialsStoreMode;
+use codex_login::login_with_api_key;
+use codex_protocol::account::PlanType as AccountPlanType;
+use pretty_assertions::assert_eq;
+use serial_test::serial;
+use std::path::Path;
+use std::time::Duration;
+use tempfile::TempDir;
+use tokio::time::timeout;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+
+// Helper to create a minimal config.toml for the app server
+#[derive(Default)]
+struct CreateConfigTomlParams {
+    forced_method: Option<String>,
+    forced_workspace_id: Option<String>,
+    requires_openai_auth: Option<bool>,
+}
+
+fn create_config_toml(codex_home: &Path, params: CreateConfigTomlParams) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    let forced_line = if let Some(method) = params.forced_method {
+        format!("forced_login_method = \"{method}\"\n")
+    } else {
+        String::new()
+    };
+    let forced_workspace_line = if let Some(ws) = params.forced_workspace_id {
+        format!("forced_chatgpt_workspace_id = \"{ws}\"\n")
+    } else {
+        String::new()
+    };
+    let requires_line = match params.requires_openai_auth {
+        Some(true) => "requires_openai_auth = true\n".to_string(),
+        Some(false) => String::new(),
+        None => String::new(),
+    };
+    let contents = format!(
+        r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "danger-full-access"
+{forced_line}
+{forced_workspace_line}
+
+model_provider = "mock_provider"
+
+[model_providers.mock_provider]
+name = "Mock provider for test"
+base_url = "http://127.0.0.1:0/v1"
+wire_api = "chat"
+request_max_retries = 0
+stream_max_retries = 0
+{requires_line}
+"#
+    );
+    std::fs::write(config_toml, contents)
+}
+
+#[tokio::test]
+async fn logout_account_removes_auth_and_notifies() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), CreateConfigTomlParams::default())?;
+
+    login_with_api_key(
+        codex_home.path(),
+        "sk-test-key",
+        AuthCredentialsStoreMode::File,
+    )?;
+    assert!(codex_home.path().join("auth.json").exists());
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)]).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let id = mcp.send_logout_account_request().await?;
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(id)),
+    )
+    .await??;
+    let _ok: LogoutAccountResponse = to_response(resp)?;
+
+    let note = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await??;
+    let parsed: ServerNotification = note.try_into()?;
+    let ServerNotification::AccountUpdated(payload) = parsed else {
+        bail!("unexpected notification: {parsed:?}");
+    };
+    assert!(
+        payload.auth_mode.is_none(),
+        "auth_method should be None after logout"
+    );
+
+    assert!(
+        !codex_home.path().join("auth.json").exists(),
+        "auth.json should be deleted"
+    );
+
+    let get_id = mcp
+        .send_get_account_request(GetAccountParams {
+            refresh_token: false,
+        })
+        .await?;
+    let get_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(get_id)),
+    )
+    .await??;
+    let account: GetAccountResponse = to_response(get_resp)?;
+    assert_eq!(account.account, None);
+    Ok(())
+}
+
+#[tokio::test]
+async fn login_account_api_key_succeeds_and_notifies() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), CreateConfigTomlParams::default())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let req_id = mcp
+        .send_login_account_api_key_request("sk-test-key")
+        .await?;
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(req_id)),
+    )
+    .await??;
+    let login: LoginAccountResponse = to_response(resp)?;
+    assert_eq!(login, LoginAccountResponse::ApiKey {});
+
+    let note = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/login/completed"),
+    )
+    .await??;
+    let parsed: ServerNotification = note.try_into()?;
+    let ServerNotification::AccountLoginCompleted(payload) = parsed else {
+        bail!("unexpected notification: {parsed:?}");
+    };
+    pretty_assertions::assert_eq!(payload.login_id, None);
+    pretty_assertions::assert_eq!(payload.success, true);
+    pretty_assertions::assert_eq!(payload.error, None);
+
+    let note = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await??;
+    let parsed: ServerNotification = note.try_into()?;
+    let ServerNotification::AccountUpdated(payload) = parsed else {
+        bail!("unexpected notification: {parsed:?}");
+    };
+    pretty_assertions::assert_eq!(payload.auth_mode, Some(AuthMode::ApiKey));
+
+    assert!(codex_home.path().join("auth.json").exists());
+    Ok(())
+}
+
+#[tokio::test]
+async fn login_account_api_key_rejected_when_forced_chatgpt() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            forced_method: Some("chatgpt".to_string()),
+            ..Default::default()
+        },
+    )?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let request_id = mcp
+        .send_login_account_api_key_request("sk-test-key")
+        .await?;
+    let err: JSONRPCError = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+
+    assert_eq!(
+        err.error.message,
+        "API key login is disabled. Use ChatGPT login instead."
+    );
+    Ok(())
+}
+
+#[tokio::test]
+async fn login_account_chatgpt_rejected_when_forced_api() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            forced_method: Some("api".to_string()),
+            ..Default::default()
+        },
+    )?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let request_id = mcp.send_login_account_chatgpt_request().await?;
+    let err: JSONRPCError = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+
+    assert_eq!(
+        err.error.message,
+        "ChatGPT login is disabled. Use API key login instead."
+    );
+    Ok(())
+}
+
+#[tokio::test]
+// Serialize tests that launch the login server since it binds to a fixed port.
+#[serial(login_port)]
+async fn login_account_chatgpt_start() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), CreateConfigTomlParams::default())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let request_id = mcp.send_login_account_chatgpt_request().await?;
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+
+    let login: LoginAccountResponse = to_response(resp)?;
+    let LoginAccountResponse::Chatgpt { login_id, auth_url } = login else {
+        bail!("unexpected login response: {login:?}");
+    };
+    assert!(
+        auth_url.contains("redirect_uri=http%3A%2F%2Flocalhost"),
+        "auth_url should contain a redirect_uri to localhost"
+    );
+
+    let cancel_id = mcp
+        .send_cancel_login_account_request(CancelLoginAccountParams {
+            login_id: login_id.clone(),
+        })
+        .await?;
+    let cancel_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(cancel_id)),
+    )
+    .await??;
+    let _ok: CancelLoginAccountResponse = to_response(cancel_resp)?;
+
+    let note = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/login/completed"),
+    )
+    .await??;
+    let parsed: ServerNotification = note.try_into()?;
+    let ServerNotification::AccountLoginCompleted(payload) = parsed else {
+        bail!("unexpected notification: {parsed:?}");
+    };
+    pretty_assertions::assert_eq!(payload.login_id, Some(login_id));
+    pretty_assertions::assert_eq!(payload.success, false);
+    assert!(
+        payload.error.is_some(),
+        "expected a non-empty error on cancel"
+    );
+
+    let maybe_updated = timeout(
+        Duration::from_millis(500),
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await;
+    assert!(
+        maybe_updated.is_err(),
+        "account/updated should not be emitted when login is cancelled"
+    );
+    Ok(())
+}
+
+#[tokio::test]
+// Serialize tests that launch the login server since it binds to a fixed port.
+#[serial(login_port)]
+async fn login_account_chatgpt_includes_forced_workspace_query_param() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            forced_workspace_id: Some("ws-forced".to_string()),
+            ..Default::default()
+        },
+    )?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let request_id = mcp.send_login_account_chatgpt_request().await?;
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+
+    let login: LoginAccountResponse = to_response(resp)?;
+    let LoginAccountResponse::Chatgpt { auth_url, .. } = login else {
+        bail!("unexpected login response: {login:?}");
+    };
+    assert!(
+        auth_url.contains("allowed_workspace_id=ws-forced"),
+        "auth URL should include forced workspace"
+    );
+    Ok(())
+}
+
+#[tokio::test]
+async fn get_account_no_auth() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            requires_openai_auth: Some(true),
+            ..Default::default()
+        },
+    )?;
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)]).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let params = GetAccountParams {
+        refresh_token: false,
+    };
+    let request_id = mcp.send_get_account_request(params).await?;
+
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+    let account: GetAccountResponse = to_response(resp)?;
+
+    assert_eq!(account.account, None, "expected no account");
+    assert_eq!(account.requires_openai_auth, true);
+    Ok(())
+}
+
+#[tokio::test]
+async fn get_account_with_api_key() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            requires_openai_auth: Some(true),
+            ..Default::default()
+        },
+    )?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let req_id = mcp
+        .send_login_account_api_key_request("sk-test-key")
+        .await?;
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(req_id)),
+    )
+    .await??;
+    let _login_ok = to_response::<LoginAccountResponse>(resp)?;
+
+    let params = GetAccountParams {
+        refresh_token: false,
+    };
+    let request_id = mcp.send_get_account_request(params).await?;
+
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+    let received: GetAccountResponse = to_response(resp)?;
+
+    let expected = GetAccountResponse {
+        account: Some(Account::ApiKey {}),
+        requires_openai_auth: true,
+    };
+    assert_eq!(received, expected);
+    Ok(())
+}
+
+#[tokio::test]
+async fn get_account_when_auth_not_required() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            requires_openai_auth: Some(false),
+            ..Default::default()
+        },
+    )?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let params = GetAccountParams {
+        refresh_token: false,
+    };
+    let request_id = mcp.send_get_account_request(params).await?;
+
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+    let received: GetAccountResponse = to_response(resp)?;
+
+    let expected = GetAccountResponse {
+        account: None,
+        requires_openai_auth: false,
+    };
+    assert_eq!(received, expected);
+    Ok(())
+}
+
+#[tokio::test]
+async fn get_account_with_chatgpt() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            requires_openai_auth: Some(true),
+            ..Default::default()
+        },
+    )?;
+    write_chatgpt_auth(
+        codex_home.path(),
+        ChatGptAuthFixture::new("access-chatgpt")
+            .email("user@example.com")
+            .plan_type("pro"),
+        AuthCredentialsStoreMode::File,
+    )?;
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)]).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let params = GetAccountParams {
+        refresh_token: false,
+    };
+    let request_id = mcp.send_get_account_request(params).await?;
+
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+    let received: GetAccountResponse = to_response(resp)?;
+
+    let expected = GetAccountResponse {
+        account: Some(Account::Chatgpt {
+            email: "user@example.com".to_string(),
+            plan_type: AccountPlanType::Pro,
+        }),
+        requires_openai_auth: true,
+    };
+    assert_eq!(received, expected);
+    Ok(())
+}
--- a/codex-rs/app-server/tests/suite/v2/mod.rs
+++ b/codex-rs/app-server/tests/suite/v2/mod.rs
@@ -0,0 +1,9 @@
+mod account;
+mod model_list;
+mod rate_limits;
+mod thread_archive;
+mod thread_list;
+mod thread_resume;
+mod thread_start;
+mod turn_interrupt;
+mod turn_start;
--- a/codex-rs/app-server/tests/suite/v2/model_list.rs
+++ b/codex-rs/app-server/tests/suite/v2/model_list.rs
@@ -6,9 +6,9 @@ use app_test_support::McpProcess;
 use app_test_support::to_response;
 use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::ListModelsParams;
-use codex_app_server_protocol::ListModelsResponse;
 use codex_app_server_protocol::Model;
+use codex_app_server_protocol::ModelListParams;
+use codex_app_server_protocol::ModelListResponse;
 use codex_app_server_protocol::ReasoningEffortOption;
 use codex_app_server_protocol::RequestId;
 use codex_protocol::config_types::ReasoningEffort;
@@ -19,7 +19,7 @@ use tokio::time::timeout;
 const DEFAULT_TIMEOUT: Duration = Duration::from_secs(10);
 const INVALID_REQUEST_ERROR_CODE: i64 = -32600;

-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[tokio::test]
 async fn list_models_returns_all_models_with_large_limit() -> Result<()> {
    let codex_home = TempDir::new()?;
    let mut mcp = McpProcess::new(codex_home.path()).await?;
@@ -27,8 +27,8 @@ async fn list_models_returns_all_models_with_large_limit() -> Result<()> {
    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;

    let request_id = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(100),
+        .send_list_models_request(ModelListParams {
+            limit: Some(100),
            cursor: None,
        })
        .await?;
@@ -39,14 +39,17 @@ async fn list_models_returns_all_models_with_large_limit() -> Result<()> {
    )
    .await??;

-    let ListModelsResponse { items, next_cursor } = to_response::<ListModelsResponse>(response)?;
+    let ModelListResponse {
+        data: items,
+        next_cursor,
+    } = to_response::<ModelListResponse>(response)?;

    let expected_models = vec![
        Model {
            id: "gpt-5-codex".to_string(),
            model: "gpt-5-codex".to_string(),
            display_name: "gpt-5-codex".to_string(),
-            description: "Optimized for coding tasks with many tools.".to_string(),
+            description: "Optimized for codex.".to_string(),
            supported_reasoning_efforts: vec![
                ReasoningEffortOption {
                    reasoning_effort: ReasoningEffort::Low,
@@ -103,7 +106,7 @@ async fn list_models_returns_all_models_with_large_limit() -> Result<()> {
    Ok(())
 }

-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[tokio::test]
 async fn list_models_pagination_works() -> Result<()> {
    let codex_home = TempDir::new()?;
    let mut mcp = McpProcess::new(codex_home.path()).await?;
@@ -111,8 +114,8 @@ async fn list_models_pagination_works() -> Result<()> {
    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;

    let first_request = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(1),
+        .send_list_models_request(ModelListParams {
+            limit: Some(1),
            cursor: None,
        })
        .await?;
@@ -123,18 +126,18 @@ async fn list_models_pagination_works() -> Result<()> {
    )
    .await??;

-    let ListModelsResponse {
-        items: first_items,
+    let ModelListResponse {
+        data: first_items,
        next_cursor: first_cursor,
-    } = to_response::<ListModelsResponse>(first_response)?;
+    } = to_response::<ModelListResponse>(first_response)?;

    assert_eq!(first_items.len(), 1);
    assert_eq!(first_items[0].id, "gpt-5-codex");
    let next_cursor = first_cursor.ok_or_else(|| anyhow!("cursor for second page"))?;

    let second_request = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(1),
+        .send_list_models_request(ModelListParams {
+            limit: Some(1),
            cursor: Some(next_cursor.clone()),
        })
        .await?;
@@ -145,10 +148,10 @@ async fn list_models_pagination_works() -> Result<()> {
    )
    .await??;

-    let ListModelsResponse {
-        items: second_items,
+    let ModelListResponse {
+        data: second_items,
        next_cursor: second_cursor,
-    } = to_response::<ListModelsResponse>(second_response)?;
+    } = to_response::<ModelListResponse>(second_response)?;

    assert_eq!(second_items.len(), 1);
    assert_eq!(second_items[0].id, "gpt-5");
@@ -156,7 +159,7 @@ async fn list_models_pagination_works() -> Result<()> {
    Ok(())
 }

-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[tokio::test]
 async fn list_models_rejects_invalid_cursor() -> Result<()> {
    let codex_home = TempDir::new()?;
    let mut mcp = McpProcess::new(codex_home.path()).await?;
@@ -164,8 +167,8 @@ async fn list_models_rejects_invalid_cursor() -> Result<()> {
    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;

    let request_id = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: None,
+        .send_list_models_request(ModelListParams {
+            limit: None,
            cursor: Some("invalid".to_string()),
        })
        .await?;
--- a/codex-rs/app-server/tests/suite/v2/rate_limits.rs
+++ b/codex-rs/app-server/tests/suite/v2/rate_limits.rs
@@ -7,10 +7,10 @@ use codex_app_server_protocol::GetAccountRateLimitsResponse;
 use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::LoginApiKeyParams;
+use codex_app_server_protocol::RateLimitSnapshot;
+use codex_app_server_protocol::RateLimitWindow;
 use codex_app_server_protocol::RequestId;
 use codex_core::auth::AuthCredentialsStoreMode;
-use codex_protocol::protocol::RateLimitSnapshot;
-use codex_protocol::protocol::RateLimitWindow;
 use pretty_assertions::assert_eq;
 use serde_json::json;
 use std::path::Path;
@@ -26,7 +26,7 @@ use wiremock::matchers::path;
 const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
 const INVALID_REQUEST_ERROR_CODE: i64 = -32600;

-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[tokio::test]
 async fn get_account_rate_limits_requires_auth() -> Result<()> {
    let codex_home = TempDir::new()?;

@@ -51,7 +51,7 @@ async fn get_account_rate_limits_requires_auth() -> Result<()> {
    Ok(())
 }

-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[tokio::test]
 async fn get_account_rate_limits_requires_chatgpt_auth() -> Result<()> {
    let codex_home = TempDir::new()?;

@@ -78,7 +78,7 @@ async fn get_account_rate_limits_requires_chatgpt_auth() -> Result<()> {
    Ok(())
 }

-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[tokio::test]
 async fn get_account_rate_limits_returns_snapshot() -> Result<()> {
    let codex_home = TempDir::new()?;
    write_chatgpt_auth(
@@ -143,13 +143,13 @@ async fn get_account_rate_limits_returns_snapshot() -> Result<()> {
    let expected = GetAccountRateLimitsResponse {
        rate_limits: RateLimitSnapshot {
            primary: Some(RateLimitWindow {
-                used_percent: 42.0,
-                window_minutes: Some(60),
+                used_percent: 42,
+                window_duration_mins: Some(60),
                resets_at: Some(primary_reset_timestamp),
            }),
            secondary: Some(RateLimitWindow {
-                used_percent: 5.0,
-                window_minutes: Some(1440),
+                used_percent: 5,
+                window_duration_mins: Some(1440),
                resets_at: Some(secondary_reset_timestamp),
            }),
        },
--- a/codex-rs/app-server/tests/suite/v2/thread_archive.rs
+++ b/codex-rs/app-server/tests/suite/v2/thread_archive.rs
@@ -0,0 +1,93 @@
+use anyhow::Result;
+use app_test_support::McpProcess;
+use app_test_support::to_response;
+use codex_app_server_protocol::JSONRPCResponse;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::ThreadArchiveParams;
+use codex_app_server_protocol::ThreadArchiveResponse;
+use codex_app_server_protocol::ThreadStartParams;
+use codex_app_server_protocol::ThreadStartResponse;
+use codex_core::ARCHIVED_SESSIONS_SUBDIR;
+use codex_core::find_conversation_path_by_id_str;
+use std::path::Path;
+use tempfile::TempDir;
+use tokio::time::timeout;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+
+#[tokio::test]
+async fn thread_archive_moves_rollout_into_archived_directory() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // Start a thread.
+    let start_id = mcp
+        .send_thread_start_request(ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let start_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(start_id)),
+    )
+    .await??;
+    let ThreadStartResponse { thread } = to_response::<ThreadStartResponse>(start_resp)?;
+    assert!(!thread.id.is_empty());
+
+    // Locate the rollout path recorded for this thread id.
+    let rollout_path = find_conversation_path_by_id_str(codex_home.path(), &thread.id)
+        .await?
+        .expect("expected rollout path for thread id to exist");
+    assert!(
+        rollout_path.exists(),
+        "expected {} to exist",
+        rollout_path.display()
+    );
+
+    // Archive the thread.
+    let archive_id = mcp
+        .send_thread_archive_request(ThreadArchiveParams {
+            thread_id: thread.id.clone(),
+        })
+        .await?;
+    let archive_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(archive_id)),
+    )
+    .await??;
+    let _: ThreadArchiveResponse = to_response::<ThreadArchiveResponse>(archive_resp)?;
+
+    // Verify file moved.
+    let archived_directory = codex_home.path().join(ARCHIVED_SESSIONS_SUBDIR);
+    // The archived file keeps the original filename (rollout-...-<id>.jsonl).
+    let archived_rollout_path =
+        archived_directory.join(rollout_path.file_name().expect("rollout file name"));
+    assert!(
+        !rollout_path.exists(),
+        "expected rollout path {} to be moved",
+        rollout_path.display()
+    );
+    assert!(
+        archived_rollout_path.exists(),
+        "expected archived rollout path {} to exist",
+        archived_rollout_path.display()
+    );
+
+    Ok(())
+}
+
+fn create_config_toml(codex_home: &Path) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    std::fs::write(config_toml, config_contents())
+}
+
+fn config_contents() -> &'static str {
+    r#"model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "read-only"
+"#
+}
--- a/codex-rs/app-server/tests/suite/v2/thread_list.rs
+++ b/codex-rs/app-server/tests/suite/v2/thread_list.rs
@@ -0,0 +1,220 @@
+use anyhow::Result;
+use app_test_support::McpProcess;
+use app_test_support::create_fake_rollout;
+use app_test_support::to_response;
+use codex_app_server_protocol::JSONRPCResponse;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::ThreadListParams;
+use codex_app_server_protocol::ThreadListResponse;
+use serde_json::json;
+use tempfile::TempDir;
+use tokio::time::timeout;
+use uuid::Uuid;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+
+#[tokio::test]
+async fn thread_list_basic_empty() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_minimal_config(codex_home.path())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // List threads in an empty CODEX_HOME; should return an empty page with nextCursor: null.
+    let list_id = mcp
+        .send_thread_list_request(ThreadListParams {
+            cursor: None,
+            limit: Some(10),
+            model_providers: None,
+        })
+        .await?;
+    let list_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(list_id)),
+    )
+    .await??;
+    let ThreadListResponse { data, next_cursor } = to_response::<ThreadListResponse>(list_resp)?;
+    assert!(data.is_empty());
+    assert_eq!(next_cursor, None);
+
+    Ok(())
+}
+
+// Minimal config.toml for listing.
+fn create_minimal_config(codex_home: &std::path::Path) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    std::fs::write(
+        config_toml,
+        r#"
+model = "mock-model"
+approval_policy = "never"
+"#,
+    )
+}
+
+#[tokio::test]
+async fn thread_list_pagination_next_cursor_none_on_last_page() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_minimal_config(codex_home.path())?;
+
+    // Create three rollouts so we can paginate with limit=2.
+    let _a = create_fake_rollout(
+        codex_home.path(),
+        "2025-01-02T12-00-00",
+        "2025-01-02T12:00:00Z",
+        "Hello",
+        Some("mock_provider"),
+    )?;
+    let _b = create_fake_rollout(
+        codex_home.path(),
+        "2025-01-01T13-00-00",
+        "2025-01-01T13:00:00Z",
+        "Hello",
+        Some("mock_provider"),
+    )?;
+    let _c = create_fake_rollout(
+        codex_home.path(),
+        "2025-01-01T12-00-00",
+        "2025-01-01T12:00:00Z",
+        "Hello",
+        Some("mock_provider"),
+    )?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // Page 1: limit 2 → expect next_cursor Some.
+    let page1_id = mcp
+        .send_thread_list_request(ThreadListParams {
+            cursor: None,
+            limit: Some(2),
+            model_providers: Some(vec!["mock_provider".to_string()]),
+        })
+        .await?;
+    let page1_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(page1_id)),
+    )
+    .await??;
+    let ThreadListResponse {
+        data: data1,
+        next_cursor: cursor1,
+    } = to_response::<ThreadListResponse>(page1_resp)?;
+    assert_eq!(data1.len(), 2);
+    for thread in &data1 {
+        assert_eq!(thread.preview, "Hello");
+        assert_eq!(thread.model_provider, "mock_provider");
+        assert!(thread.created_at > 0);
+    }
+    let cursor1 = cursor1.expect("expected nextCursor on first page");
+
+    // Page 2: with cursor → expect next_cursor None when no more results.
+    let page2_id = mcp
+        .send_thread_list_request(ThreadListParams {
+            cursor: Some(cursor1),
+            limit: Some(2),
+            model_providers: Some(vec!["mock_provider".to_string()]),
+        })
+        .await?;
+    let page2_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(page2_id)),
+    )
+    .await??;
+    let ThreadListResponse {
+        data: data2,
+        next_cursor: cursor2,
+    } = to_response::<ThreadListResponse>(page2_resp)?;
+    assert!(data2.len() <= 2);
+    for thread in &data2 {
+        assert_eq!(thread.preview, "Hello");
+        assert_eq!(thread.model_provider, "mock_provider");
+        assert!(thread.created_at > 0);
+    }
+    assert_eq!(cursor2, None, "expected nextCursor to be null on last page");
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn thread_list_respects_provider_filter() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_minimal_config(codex_home.path())?;
+
+    // Create rollouts under two providers.
+    let _a = create_fake_rollout(
+        codex_home.path(),
+        "2025-01-02T10-00-00",
+        "2025-01-02T10:00:00Z",
+        "X",
+        Some("mock_provider"),
+    )?; // mock_provider
+    // one with a different provider
+    let uuid = Uuid::new_v4();
+    let dir = codex_home
+        .path()
+        .join("sessions")
+        .join("2025")
+        .join("01")
+        .join("02");
+    std::fs::create_dir_all(&dir)?;
+    let file_path = dir.join(format!("rollout-2025-01-02T11-00-00-{uuid}.jsonl"));
+    let lines = [
+        json!({
+            "timestamp": "2025-01-02T11:00:00Z",
+            "type": "session_meta",
+            "payload": {
+                "id": uuid,
+                "timestamp": "2025-01-02T11:00:00Z",
+                "cwd": "/",
+                "originator": "codex",
+                "cli_version": "0.0.0",
+                "instructions": null,
+                "source": "vscode",
+                "model_provider": "other_provider"
+            }
+        })
+        .to_string(),
+        json!({
+            "timestamp": "2025-01-02T11:00:00Z",
+            "type":"response_item",
+            "payload": {"type":"message","role":"user","content":[{"type":"input_text","text":"X"}]}
+        })
+        .to_string(),
+        json!({
+            "timestamp": "2025-01-02T11:00:00Z",
+            "type":"event_msg",
+            "payload": {"type":"user_message","message":"X","kind":"plain"}
+        })
+        .to_string(),
+    ];
+    std::fs::write(file_path, lines.join("\n") + "\n")?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // Filter to only other_provider; expect 1 item, nextCursor None.
+    let list_id = mcp
+        .send_thread_list_request(ThreadListParams {
+            cursor: None,
+            limit: Some(10),
+            model_providers: Some(vec!["other_provider".to_string()]),
+        })
+        .await?;
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(list_id)),
+    )
+    .await??;
+    let ThreadListResponse { data, next_cursor } = to_response::<ThreadListResponse>(resp)?;
+    assert_eq!(data.len(), 1);
+    assert_eq!(next_cursor, None);
+    let thread = &data[0];
+    assert_eq!(thread.preview, "X");
+    assert_eq!(thread.model_provider, "other_provider");
+    let expected_ts = chrono::DateTime::parse_from_rfc3339("2025-01-02T11:00:00Z")?.timestamp();
+    assert_eq!(thread.created_at, expected_ts);
+
+    Ok(())
+}
--- a/codex-rs/app-server/tests/suite/v2/thread_resume.rs
+++ b/codex-rs/app-server/tests/suite/v2/thread_resume.rs
@@ -0,0 +1,79 @@
+use anyhow::Result;
+use app_test_support::McpProcess;
+use app_test_support::create_mock_chat_completions_server;
+use app_test_support::to_response;
+use codex_app_server_protocol::JSONRPCResponse;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::ThreadResumeParams;
+use codex_app_server_protocol::ThreadResumeResponse;
+use codex_app_server_protocol::ThreadStartParams;
+use codex_app_server_protocol::ThreadStartResponse;
+use tempfile::TempDir;
+use tokio::time::timeout;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+
+#[tokio::test]
+async fn thread_resume_returns_existing_thread() -> Result<()> {
+    let server = create_mock_chat_completions_server(vec![]).await;
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), &server.uri())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // Start a thread.
+    let start_id = mcp
+        .send_thread_start_request(ThreadStartParams {
+            model: Some("gpt-5-codex".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let start_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(start_id)),
+    )
+    .await??;
+    let ThreadStartResponse { thread } = to_response::<ThreadStartResponse>(start_resp)?;
+
+    // Resume it via v2 API.
+    let resume_id = mcp
+        .send_thread_resume_request(ThreadResumeParams {
+            thread_id: thread.id.clone(),
+        })
+        .await?;
+    let resume_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(resume_id)),
+    )
+    .await??;
+    let ThreadResumeResponse { thread: resumed } =
+        to_response::<ThreadResumeResponse>(resume_resp)?;
+    assert_eq!(resumed, thread);
+
+    Ok(())
+}
+
+// Helper to create a config.toml pointing at the mock model server.
+fn create_config_toml(codex_home: &std::path::Path, server_uri: &str) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    std::fs::write(
+        config_toml,
+        format!(
+            r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "read-only"
+
+model_provider = "mock_provider"
+
+[model_providers.mock_provider]
+name = "Mock provider for test"
+base_url = "{server_uri}/v1"
+wire_api = "chat"
+request_max_retries = 0
+stream_max_retries = 0
+"#
+        ),
+    )
+}
--- a/codex-rs/app-server/tests/suite/v2/thread_start.rs
+++ b/codex-rs/app-server/tests/suite/v2/thread_start.rs
@@ -0,0 +1,90 @@
+use anyhow::Result;
+use app_test_support::McpProcess;
+use app_test_support::create_mock_chat_completions_server;
+use app_test_support::to_response;
+use codex_app_server_protocol::JSONRPCNotification;
+use codex_app_server_protocol::JSONRPCResponse;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::ThreadStartParams;
+use codex_app_server_protocol::ThreadStartResponse;
+use codex_app_server_protocol::ThreadStartedNotification;
+use std::path::Path;
+use tempfile::TempDir;
+use tokio::time::timeout;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+
+#[tokio::test]
+async fn thread_start_creates_thread_and_emits_started() -> Result<()> {
+    // Provide a mock server and config so model wiring is valid.
+    let server = create_mock_chat_completions_server(vec![]).await;
+
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), &server.uri())?;
+
+    // Start server and initialize.
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // Start a v2 thread with an explicit model override.
+    let req_id = mcp
+        .send_thread_start_request(ThreadStartParams {
+            model: Some("gpt-5".to_string()),
+            ..Default::default()
+        })
+        .await?;
+
+    // Expect a proper JSON-RPC response with a thread id.
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(req_id)),
+    )
+    .await??;
+    let ThreadStartResponse { thread } = to_response::<ThreadStartResponse>(resp)?;
+    assert!(!thread.id.is_empty(), "thread id should not be empty");
+    assert!(
+        thread.preview.is_empty(),
+        "new threads should start with an empty preview"
+    );
+    assert_eq!(thread.model_provider, "mock_provider");
+    assert!(
+        thread.created_at > 0,
+        "created_at should be a positive UNIX timestamp"
+    );
+
+    // A corresponding thread/started notification should arrive.
+    let notif: JSONRPCNotification = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("thread/started"),
+    )
+    .await??;
+    let started: ThreadStartedNotification =
+        serde_json::from_value(notif.params.expect("params must be present"))?;
+    assert_eq!(started.thread, thread);
+
+    Ok(())
+}
+
+// Helper to create a config.toml pointing at the mock model server.
+fn create_config_toml(codex_home: &Path, server_uri: &str) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    std::fs::write(
+        config_toml,
+        format!(
+            r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "read-only"
+
+model_provider = "mock_provider"
+
+[model_providers.mock_provider]
+name = "Mock provider for test"
+base_url = "{server_uri}/v1"
+wire_api = "chat"
+request_max_retries = 0
+stream_max_retries = 0
+"#
+        ),
+    )
+}
--- a/codex-rs/app-server/tests/suite/v2/turn_interrupt.rs
+++ b/codex-rs/app-server/tests/suite/v2/turn_interrupt.rs
@@ -0,0 +1,128 @@
+#![cfg(unix)]
+
+use anyhow::Result;
+use app_test_support::McpProcess;
+use app_test_support::create_mock_chat_completions_server;
+use app_test_support::create_shell_sse_response;
+use app_test_support::to_response;
+use codex_app_server_protocol::JSONRPCResponse;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::ThreadStartParams;
+use codex_app_server_protocol::ThreadStartResponse;
+use codex_app_server_protocol::TurnInterruptParams;
+use codex_app_server_protocol::TurnInterruptResponse;
+use codex_app_server_protocol::TurnStartParams;
+use codex_app_server_protocol::TurnStartResponse;
+use codex_app_server_protocol::UserInput as V2UserInput;
+use tempfile::TempDir;
+use tokio::time::timeout;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+
+#[tokio::test]
+async fn turn_interrupt_aborts_running_turn() -> Result<()> {
+    // Use a portable sleep command to keep the turn running.
+    #[cfg(target_os = "windows")]
+    let shell_command = vec![
+        "powershell".to_string(),
+        "-Command".to_string(),
+        "Start-Sleep -Seconds 10".to_string(),
+    ];
+    #[cfg(not(target_os = "windows"))]
+    let shell_command = vec!["sleep".to_string(), "10".to_string()];
+
+    let tmp = TempDir::new()?;
+    let codex_home = tmp.path().join("codex_home");
+    std::fs::create_dir(&codex_home)?;
+    let working_directory = tmp.path().join("workdir");
+    std::fs::create_dir(&working_directory)?;
+
+    // Mock server: long-running shell command then (after abort) nothing else needed.
+    let server = create_mock_chat_completions_server(vec![create_shell_sse_response(
+        shell_command.clone(),
+        Some(&working_directory),
+        Some(10_000),
+        "call_sleep",
+    )?])
+    .await;
+    create_config_toml(&codex_home, &server.uri())?;
+
+    let mut mcp = McpProcess::new(&codex_home).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // Start a v2 thread and capture its id.
+    let thread_req = mcp
+        .send_thread_start_request(ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let thread_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(thread_req)),
+    )
+    .await??;
+    let ThreadStartResponse { thread } = to_response::<ThreadStartResponse>(thread_resp)?;
+
+    // Start a turn that triggers a long-running command.
+    let turn_req = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id.clone(),
+            input: vec![V2UserInput::Text {
+                text: "run sleep".to_string(),
+            }],
+            cwd: Some(working_directory.clone()),
+            ..Default::default()
+        })
+        .await?;
+    let turn_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
+    )
+    .await??;
+    let TurnStartResponse { turn } = to_response::<TurnStartResponse>(turn_resp)?;
+
+    // Give the command a brief moment to start.
+    tokio::time::sleep(std::time::Duration::from_secs(1)).await;
+
+    // Interrupt the in-progress turn by id (v2 API).
+    let interrupt_id = mcp
+        .send_turn_interrupt_request(TurnInterruptParams {
+            thread_id: thread.id,
+            turn_id: turn.id,
+        })
+        .await?;
+    let interrupt_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(interrupt_id)),
+    )
+    .await??;
+    let _resp: TurnInterruptResponse = to_response::<TurnInterruptResponse>(interrupt_resp)?;
+
+    // No fields to assert on; successful deserialization confirms proper response shape.
+    Ok(())
+}
+
+// Helper to create a config.toml pointing at the mock model server.
+fn create_config_toml(codex_home: &std::path::Path, server_uri: &str) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    std::fs::write(
+        config_toml,
+        format!(
+            r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "workspace-write"
+
+model_provider = "mock_provider"
+
+[model_providers.mock_provider]
+name = "Mock provider for test"
+base_url = "{server_uri}/v1"
+wire_api = "chat"
+request_max_retries = 0
+stream_max_retries = 0
+"#
+        ),
+    )
+}
--- a/codex-rs/app-server/tests/suite/v2/turn_start.rs
+++ b/codex-rs/app-server/tests/suite/v2/turn_start.rs
@@ -0,0 +1,486 @@
+use anyhow::Result;
+use app_test_support::McpProcess;
+use app_test_support::create_final_assistant_message_sse_response;
+use app_test_support::create_mock_chat_completions_server;
+use app_test_support::create_mock_chat_completions_server_unchecked;
+use app_test_support::create_shell_sse_response;
+use app_test_support::to_response;
+use codex_app_server_protocol::JSONRPCNotification;
+use codex_app_server_protocol::JSONRPCResponse;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::ServerRequest;
+use codex_app_server_protocol::ThreadStartParams;
+use codex_app_server_protocol::ThreadStartResponse;
+use codex_app_server_protocol::TurnStartParams;
+use codex_app_server_protocol::TurnStartResponse;
+use codex_app_server_protocol::TurnStartedNotification;
+use codex_app_server_protocol::UserInput as V2UserInput;
+use codex_core::protocol_config_types::ReasoningEffort;
+use codex_core::protocol_config_types::ReasoningSummary;
+use codex_protocol::parse_command::ParsedCommand;
+use codex_protocol::protocol::Event;
+use codex_protocol::protocol::EventMsg;
+use core_test_support::skip_if_no_network;
+use pretty_assertions::assert_eq;
+use std::path::Path;
+use tempfile::TempDir;
+use tokio::time::timeout;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+
+#[tokio::test]
+async fn turn_start_emits_notifications_and_accepts_model_override() -> Result<()> {
+    // Provide a mock server and config so model wiring is valid.
+    // Three Codex turns hit the mock model (session start + two turn/start calls).
+    let responses = vec![
+        create_final_assistant_message_sse_response("Done")?,
+        create_final_assistant_message_sse_response("Done")?,
+        create_final_assistant_message_sse_response("Done")?,
+    ];
+    let server = create_mock_chat_completions_server_unchecked(responses).await;
+
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), &server.uri(), "never")?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // Start a thread (v2) and capture its id.
+    let thread_req = mcp
+        .send_thread_start_request(ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let thread_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(thread_req)),
+    )
+    .await??;
+    let ThreadStartResponse { thread } = to_response::<ThreadStartResponse>(thread_resp)?;
+
+    // Start a turn with only input and thread_id set (no overrides).
+    let turn_req = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id.clone(),
+            input: vec![V2UserInput::Text {
+                text: "Hello".to_string(),
+            }],
+            ..Default::default()
+        })
+        .await?;
+    let turn_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
+    )
+    .await??;
+    let TurnStartResponse { turn } = to_response::<TurnStartResponse>(turn_resp)?;
+    assert!(!turn.id.is_empty());
+
+    // Expect a turn/started notification.
+    let notif: JSONRPCNotification = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("turn/started"),
+    )
+    .await??;
+    let started: TurnStartedNotification =
+        serde_json::from_value(notif.params.expect("params must be present"))?;
+    assert_eq!(
+        started.turn.status,
+        codex_app_server_protocol::TurnStatus::InProgress
+    );
+
+    // Send a second turn that exercises the overrides path: change the model.
+    let turn_req2 = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id.clone(),
+            input: vec![V2UserInput::Text {
+                text: "Second".to_string(),
+            }],
+            model: Some("mock-model-override".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let turn_resp2: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_req2)),
+    )
+    .await??;
+    let TurnStartResponse { turn: turn2 } = to_response::<TurnStartResponse>(turn_resp2)?;
+    assert!(!turn2.id.is_empty());
+    // Ensure the second turn has a different id than the first.
+    assert_ne!(turn.id, turn2.id);
+
+    // Expect a second turn/started notification as well.
+    let _notif2: JSONRPCNotification = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("turn/started"),
+    )
+    .await??;
+
+    // And we should ultimately get a task_complete without having to add a
+    // legacy conversation listener explicitly (auto-attached by thread/start).
+    let _task_complete: JSONRPCNotification = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("codex/event/task_complete"),
+    )
+    .await??;
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn turn_start_accepts_local_image_input() -> Result<()> {
+    // Two Codex turns hit the mock model (session start + turn/start).
+    let responses = vec![
+        create_final_assistant_message_sse_response("Done")?,
+        create_final_assistant_message_sse_response("Done")?,
+    ];
+    // Use the unchecked variant because the request payload includes a LocalImage
+    // which the strict matcher does not currently cover.
+    let server = create_mock_chat_completions_server_unchecked(responses).await;
+
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), &server.uri(), "never")?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let thread_req = mcp
+        .send_thread_start_request(ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let thread_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(thread_req)),
+    )
+    .await??;
+    let ThreadStartResponse { thread } = to_response::<ThreadStartResponse>(thread_resp)?;
+
+    let image_path = codex_home.path().join("image.png");
+    // No need to actually write the file; we just exercise the input path.
+
+    let turn_req = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id.clone(),
+            input: vec![V2UserInput::LocalImage { path: image_path }],
+            ..Default::default()
+        })
+        .await?;
+    let turn_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
+    )
+    .await??;
+    let TurnStartResponse { turn } = to_response::<TurnStartResponse>(turn_resp)?;
+    assert!(!turn.id.is_empty());
+
+    // This test only validates that turn/start responds and returns a turn.
+    Ok(())
+}
+
+#[tokio::test]
+async fn turn_start_exec_approval_toggle_v2() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let tmp = TempDir::new()?;
+    let codex_home = tmp.path().to_path_buf();
+
+    // Mock server: first turn requests a shell call (elicitation), then completes.
+    // Second turn same, but we'll set approval_policy=never to avoid elicitation.
+    let responses = vec![
+        create_shell_sse_response(
+            vec![
+                "python3".to_string(),
+                "-c".to_string(),
+                "print(42)".to_string(),
+            ],
+            None,
+            Some(5000),
+            "call1",
+        )?,
+        create_final_assistant_message_sse_response("done 1")?,
+        create_shell_sse_response(
+            vec![
+                "python3".to_string(),
+                "-c".to_string(),
+                "print(42)".to_string(),
+            ],
+            None,
+            Some(5000),
+            "call2",
+        )?,
+        create_final_assistant_message_sse_response("done 2")?,
+    ];
+    let server = create_mock_chat_completions_server(responses).await;
+    // Default approval is untrusted to force elicitation on first turn.
+    create_config_toml(codex_home.as_path(), &server.uri(), "untrusted")?;
+
+    let mut mcp = McpProcess::new(codex_home.as_path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // thread/start
+    let start_id = mcp
+        .send_thread_start_request(ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let start_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(start_id)),
+    )
+    .await??;
+    let ThreadStartResponse { thread } = to_response::<ThreadStartResponse>(start_resp)?;
+
+    // turn/start — expect ExecCommandApproval request from server
+    let first_turn_id = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id.clone(),
+            input: vec![V2UserInput::Text {
+                text: "run python".to_string(),
+            }],
+            ..Default::default()
+        })
+        .await?;
+    // Acknowledge RPC
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(first_turn_id)),
+    )
+    .await??;
+
+    // Receive elicitation
+    let server_req = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_request_message(),
+    )
+    .await??;
+    let ServerRequest::ExecCommandApproval { request_id, params } = server_req else {
+        panic!("expected ExecCommandApproval request");
+    };
+    assert_eq!(params.call_id, "call1");
+    assert_eq!(
+        params.parsed_cmd,
+        vec![ParsedCommand::Unknown {
+            cmd: "python3 -c 'print(42)'".to_string()
+        }]
+    );
+
+    // Approve and wait for task completion
+    mcp.send_response(
+        request_id,
+        serde_json::json!({ "decision": codex_core::protocol::ReviewDecision::Approved }),
+    )
+    .await?;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("codex/event/task_complete"),
+    )
+    .await??;
+
+    // Second turn with approval_policy=never should not elicit approval
+    let second_turn_id = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id.clone(),
+            input: vec![V2UserInput::Text {
+                text: "run python again".to_string(),
+            }],
+            approval_policy: Some(codex_app_server_protocol::AskForApproval::Never),
+            sandbox_policy: Some(codex_app_server_protocol::SandboxPolicy::DangerFullAccess),
+            model: Some("mock-model".to_string()),
+            effort: Some(ReasoningEffort::Medium),
+            summary: Some(ReasoningSummary::Auto),
+            ..Default::default()
+        })
+        .await?;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(second_turn_id)),
+    )
+    .await??;
+
+    // Ensure we do NOT receive an ExecCommandApproval request before task completes
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("codex/event/task_complete"),
+    )
+    .await??;
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn turn_start_updates_sandbox_and_cwd_between_turns_v2() -> Result<()> {
+    // When returning Result from a test, pass an Ok(()) to the skip macro
+    // so the early return type matches. The no-arg form returns unit.
+    skip_if_no_network!(Ok(()));
+
+    let tmp = TempDir::new()?;
+    let codex_home = tmp.path().join("codex_home");
+    std::fs::create_dir(&codex_home)?;
+    let workspace_root = tmp.path().join("workspace");
+    std::fs::create_dir(&workspace_root)?;
+    let first_cwd = workspace_root.join("turn1");
+    let second_cwd = workspace_root.join("turn2");
+    std::fs::create_dir(&first_cwd)?;
+    std::fs::create_dir(&second_cwd)?;
+
+    let responses = vec![
+        create_shell_sse_response(
+            vec![
+                "bash".to_string(),
+                "-lc".to_string(),
+                "echo first turn".to_string(),
+            ],
+            None,
+            Some(5000),
+            "call-first",
+        )?,
+        create_final_assistant_message_sse_response("done first")?,
+        create_shell_sse_response(
+            vec![
+                "bash".to_string(),
+                "-lc".to_string(),
+                "echo second turn".to_string(),
+            ],
+            None,
+            Some(5000),
+            "call-second",
+        )?,
+        create_final_assistant_message_sse_response("done second")?,
+    ];
+    let server = create_mock_chat_completions_server(responses).await;
+    create_config_toml(&codex_home, &server.uri(), "untrusted")?;
+
+    let mut mcp = McpProcess::new(&codex_home).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // thread/start
+    let start_id = mcp
+        .send_thread_start_request(ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let start_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(start_id)),
+    )
+    .await??;
+    let ThreadStartResponse { thread } = to_response::<ThreadStartResponse>(start_resp)?;
+
+    // first turn with workspace-write sandbox and first_cwd
+    let first_turn = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id.clone(),
+            input: vec![V2UserInput::Text {
+                text: "first turn".to_string(),
+            }],
+            cwd: Some(first_cwd.clone()),
+            approval_policy: Some(codex_app_server_protocol::AskForApproval::Never),
+            sandbox_policy: Some(codex_app_server_protocol::SandboxPolicy::WorkspaceWrite {
+                writable_roots: vec![first_cwd.clone()],
+                network_access: false,
+                exclude_tmpdir_env_var: false,
+                exclude_slash_tmp: false,
+            }),
+            model: Some("mock-model".to_string()),
+            effort: Some(ReasoningEffort::Medium),
+            summary: Some(ReasoningSummary::Auto),
+        })
+        .await?;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(first_turn)),
+    )
+    .await??;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("codex/event/task_complete"),
+    )
+    .await??;
+
+    // second turn with workspace-write and second_cwd, ensure exec begins in second_cwd
+    let second_turn = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id.clone(),
+            input: vec![V2UserInput::Text {
+                text: "second turn".to_string(),
+            }],
+            cwd: Some(second_cwd.clone()),
+            approval_policy: Some(codex_app_server_protocol::AskForApproval::Never),
+            sandbox_policy: Some(codex_app_server_protocol::SandboxPolicy::DangerFullAccess),
+            model: Some("mock-model".to_string()),
+            effort: Some(ReasoningEffort::Medium),
+            summary: Some(ReasoningSummary::Auto),
+        })
+        .await?;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(second_turn)),
+    )
+    .await??;
+
+    let exec_begin_notification = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("codex/event/exec_command_begin"),
+    )
+    .await??;
+    let params = exec_begin_notification
+        .params
+        .clone()
+        .expect("exec_command_begin params");
+    let event: Event = serde_json::from_value(params).expect("deserialize exec begin event");
+    let exec_begin = match event.msg {
+        EventMsg::ExecCommandBegin(exec_begin) => exec_begin,
+        other => panic!("expected ExecCommandBegin event, got {other:?}"),
+    };
+    assert_eq!(exec_begin.cwd, second_cwd);
+    assert_eq!(
+        exec_begin.command,
+        vec![
+            "bash".to_string(),
+            "-lc".to_string(),
+            "echo second turn".to_string()
+        ]
+    );
+
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("codex/event/task_complete"),
+    )
+    .await??;
+
+    Ok(())
+}
+
+// Helper to create a config.toml pointing at the mock model server.
+fn create_config_toml(
+    codex_home: &Path,
+    server_uri: &str,
+    approval_policy: &str,
+) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    std::fs::write(
+        config_toml,
+        format!(
+            r#"
+model = "mock-model"
+approval_policy = "{approval_policy}"
+sandbox_mode = "read-only"
+
+model_provider = "mock_provider"
+
+[model_providers.mock_provider]
+name = "Mock provider for test"
+base_url = "{server_uri}/v1"
+wire_api = "chat"
+request_max_retries = 0
+stream_max_retries = 0
+"#
+        ),
+    )
+}
--- a/codex-rs/apply-patch/src/lib.rs
+++ b/codex-rs/apply-patch/src/lib.rs
@@ -288,7 +288,7 @@ pub fn maybe_parse_apply_patch_verified(argv: &[String], cwd: &Path) -> MaybeApp
                            path,
                            ApplyPatchFileChange::Update {
                                unified_diff,
-                                move_path: move_path.map(|p| cwd.join(p)),
+                                move_path: move_path.map(|p| effective_cwd.join(p)),
                                new_content: contents,
                            },
                        );
@@ -1603,6 +1603,53 @@ g
        );
    }

+    #[test]
+    fn test_apply_patch_resolves_move_path_with_effective_cwd() {
+        let session_dir = tempdir().unwrap();
+        let worktree_rel = "alt";
+        let worktree_dir = session_dir.path().join(worktree_rel);
+        fs::create_dir_all(&worktree_dir).unwrap();
+
+        let source_name = "old.txt";
+        let dest_name = "renamed.txt";
+        let source_path = worktree_dir.join(source_name);
+        fs::write(&source_path, "before\n").unwrap();
+
+        let patch = wrap_patch(&format!(
+            r#"*** Update File: {source_name}
+*** Move to: {dest_name}
+@@
+-before
+after"#
+        ));
+
+        let shell_script = format!("cd {worktree_rel} && apply_patch <<'PATCH'\n{patch}\nPATCH");
+        let argv = vec!["bash".into(), "-lc".into(), shell_script];
+
+        let result = maybe_parse_apply_patch_verified(&argv, session_dir.path());
+        let action = match result {
+            MaybeApplyPatchVerified::Body(action) => action,
+            other => panic!("expected verified body, got {other:?}"),
+        };
+
+        assert_eq!(action.cwd, worktree_dir);
+
+        let change = action
+            .changes()
+            .get(&worktree_dir.join(source_name))
+            .expect("source file change present");
+
+        match change {
+            ApplyPatchFileChange::Update { move_path, .. } => {
+                assert_eq!(
+                    move_path.as_deref(),
+                    Some(worktree_dir.join(dest_name).as_path())
+                );
+            }
+            other => panic!("expected update change, got {other:?}"),
+        }
+    }
+
    #[test]
    fn test_apply_patch_fails_on_write_error() {
        let dir = tempdir().unwrap();
--- a/codex-rs/cli/Cargo.toml
+++ b/codex-rs/cli/Cargo.toml
@@ -39,6 +39,7 @@ ctor = { workspace = true }
 owo-colors = { workspace = true }
 serde_json = { workspace = true }
 supports-color = { workspace = true }
+toml = { workspace = true }
 tokio = { workspace = true, features = [
    "io-std",
    "macros",
@@ -47,6 +48,9 @@ tokio = { workspace = true, features = [
    "signal",
 ] }

+[target.'cfg(target_os = "windows")'.dependencies]
+codex_windows_sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }
+
 [dev-dependencies]
 assert_cmd = { workspace = true }
 assert_matches = { workspace = true }
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -5,14 +5,17 @@ use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::exec_env::create_env;
 use codex_core::landlock::spawn_command_under_linux_sandbox;
+#[cfg(target_os = "macos")]
 use codex_core::seatbelt::spawn_command_under_seatbelt;
 use codex_core::spawn::StdioPolicy;
 use codex_protocol::config_types::SandboxMode;

 use crate::LandlockCommand;
 use crate::SeatbeltCommand;
+use crate::WindowsCommand;
 use crate::exit_status::handle_exit_status;

+#[cfg(target_os = "macos")]
 pub async fn run_command_under_seatbelt(
    command: SeatbeltCommand,
    codex_linux_sandbox_exe: Option<PathBuf>,
@@ -32,6 +35,14 @@ pub async fn run_command_under_seatbelt(
    .await
 }

+#[cfg(not(target_os = "macos"))]
+pub async fn run_command_under_seatbelt(
+    _command: SeatbeltCommand,
+    _codex_linux_sandbox_exe: Option<PathBuf>,
+) -> anyhow::Result<()> {
+    anyhow::bail!("Seatbelt sandbox is only available on macOS");
+}
+
 pub async fn run_command_under_landlock(
    command: LandlockCommand,
    codex_linux_sandbox_exe: Option<PathBuf>,
@@ -51,9 +62,30 @@ pub async fn run_command_under_landlock(
    .await
 }

+pub async fn run_command_under_windows(
+    command: WindowsCommand,
+    codex_linux_sandbox_exe: Option<PathBuf>,
+) -> anyhow::Result<()> {
+    let WindowsCommand {
+        full_auto,
+        config_overrides,
+        command,
+    } = command;
+    run_command_under_sandbox(
+        full_auto,
+        command,
+        config_overrides,
+        codex_linux_sandbox_exe,
+        SandboxType::Windows,
+    )
+    .await
+}
+
 enum SandboxType {
+    #[cfg(target_os = "macos")]
    Seatbelt,
    Landlock,
+    Windows,
 }

 async fn run_command_under_sandbox(
@@ -87,7 +119,67 @@ async fn run_command_under_sandbox(
    let stdio_policy = StdioPolicy::Inherit;
    let env = create_env(&config.shell_environment_policy);

+    // Special-case Windows sandbox: execute and exit the process to emulate inherited stdio.
+    if let SandboxType::Windows = sandbox_type {
+        #[cfg(target_os = "windows")]
+        {
+            use codex_windows_sandbox::run_windows_sandbox_capture;
+
+            let policy_str = match &config.sandbox_policy {
+                codex_core::protocol::SandboxPolicy::DangerFullAccess => "workspace-write",
+                codex_core::protocol::SandboxPolicy::ReadOnly => "read-only",
+                codex_core::protocol::SandboxPolicy::WorkspaceWrite { .. } => "workspace-write",
+            };
+
+            let sandbox_cwd = sandbox_policy_cwd.clone();
+            let cwd_clone = cwd.clone();
+            let env_map = env.clone();
+            let command_vec = command.clone();
+            let base_dir = config.codex_home.clone();
+            let res = tokio::task::spawn_blocking(move || {
+                run_windows_sandbox_capture(
+                    policy_str,
+                    &sandbox_cwd,
+                    command_vec,
+                    &cwd_clone,
+                    env_map,
+                    None,
+                    Some(base_dir.as_path()),
+                )
+            })
+            .await;
+
+            let capture = match res {
+                Ok(Ok(v)) => v,
+                Ok(Err(err)) => {
+                    eprintln!("windows sandbox failed: {err}");
+                    std::process::exit(1);
+                }
+                Err(join_err) => {
+                    eprintln!("windows sandbox join error: {join_err}");
+                    std::process::exit(1);
+                }
+            };
+
+            if !capture.stdout.is_empty() {
+                use std::io::Write;
+                let _ = std::io::stdout().write_all(&capture.stdout);
+            }
+            if !capture.stderr.is_empty() {
+                use std::io::Write;
+                let _ = std::io::stderr().write_all(&capture.stderr);
+            }
+
+            std::process::exit(capture.exit_code);
+        }
+        #[cfg(not(target_os = "windows"))]
+        {
+            anyhow::bail!("Windows sandbox is only available on Windows");
+        }
+    }
+
    let mut child = match sandbox_type {
+        #[cfg(target_os = "macos")]
        SandboxType::Seatbelt => {
            spawn_command_under_seatbelt(
                command,
@@ -115,6 +207,9 @@ async fn run_command_under_sandbox(
            )
            .await?
        }
+        SandboxType::Windows => {
+            unreachable!("Windows sandbox should have been handled above");
+        }
    };
    let status = child.wait().await?;

--- a/codex-rs/cli/src/lib.rs
+++ b/codex-rs/cli/src/lib.rs
@@ -32,3 +32,17 @@ pub struct LandlockCommand {
    #[arg(trailing_var_arg = true)]
    pub command: Vec<String>,
 }
+
+#[derive(Debug, Parser)]
+pub struct WindowsCommand {
+    /// Convenience alias for low-friction sandboxed automatic execution (network-disabled sandbox that can write to cwd and TMPDIR)
+    #[arg(long = "full-auto", default_value_t = false)]
+    pub full_auto: bool,
+
+    #[clap(skip)]
+    pub config_overrides: CliConfigOverrides,
+
+    /// Full command args to run under Windows restricted token sandbox.
+    #[arg(trailing_var_arg = true)]
+    pub command: Vec<String>,
+}
--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -7,6 +7,7 @@ use codex_chatgpt::apply_command::ApplyCommand;
 use codex_chatgpt::apply_command::run_apply_command;
 use codex_cli::LandlockCommand;
 use codex_cli::SeatbeltCommand;
+use codex_cli::WindowsCommand;
 use codex_cli::login::read_api_key_from_stdin;
 use codex_cli::login::run_login_status;
 use codex_cli::login::run_login_with_api_key;
@@ -25,8 +26,10 @@ use std::path::PathBuf;
 use supports_color::Stream;

 mod mcp_cmd;
+mod wsl_paths;

 use crate::mcp_cmd::McpCli;
+use crate::wsl_paths::normalize_for_wsl;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::features::is_known_feature_key;
@@ -151,6 +154,9 @@ enum SandboxCommand {
    /// Run a command under Landlock+seccomp (Linux only).
    #[clap(visible_alias = "landlock")]
    Linux(LandlockCommand),
+
+    /// Run a command under Windows restricted token (Windows only).
+    Windows(WindowsCommand),
 }

 #[derive(Debug, Parser)]
@@ -266,7 +272,11 @@ fn run_update_action(action: UpdateAction) -> anyhow::Result<()> {
    let (cmd, args) = action.command_args();
    let cmd_str = action.command_str();
    println!("Updating Codex via `{cmd_str}`...");
-    let status = std::process::Command::new(cmd).args(args).status()?;
+    let command_path = normalize_for_wsl(cmd);
+    let normalized_args: Vec<String> = args.iter().map(normalize_for_wsl).collect();
+    let status = std::process::Command::new(&command_path)
+        .args(&normalized_args)
+        .status()?;
    if !status.success() {
        anyhow::bail!("`{cmd_str}` failed with status {status}");
    }
@@ -472,6 +482,17 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                )
                .await?;
            }
+            SandboxCommand::Windows(mut windows_cli) => {
+                prepend_config_flags(
+                    &mut windows_cli.config_overrides,
+                    root_config_overrides.clone(),
+                );
+                codex_cli::debug_sandbox::run_command_under_windows(
+                    windows_cli,
+                    codex_linux_sandbox_exe,
+                )
+                .await?;
+            }
        },
        Some(Subcommand::Apply(mut apply_cli)) => {
            prepend_config_flags(
@@ -495,15 +516,21 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
        Some(Subcommand::Features(FeaturesCli { sub })) => match sub {
            FeaturesSubcommand::List => {
                // Respect root-level `-c` overrides plus top-level flags like `--profile`.
-                let cli_kv_overrides = root_config_overrides
+                let mut cli_kv_overrides = root_config_overrides
                    .parse_overrides()
-                    .map_err(|e| anyhow::anyhow!(e))?;
+                    .map_err(anyhow::Error::msg)?;
+
+                // Honor `--search` via the new feature toggle.
+                if interactive.web_search {
+                    cli_kv_overrides.push((
+                        "features.web_search_request".to_string(),
+                        toml::Value::Boolean(true),
+                    ));
+                }

                // Thread through relevant top-level flags (at minimum, `--profile`).
-                // Also honor `--search` since it maps to a feature toggle.
                let overrides = ConfigOverrides {
                    config_profile: interactive.config_profile.clone(),
-                    tools_web_search_request: interactive.web_search.then_some(true),
                    ..Default::default()
                };

--- a/codex-rs/cli/src/mcp_cmd.rs
+++ b/codex-rs/cli/src/mcp_cmd.rs
@@ -196,7 +196,9 @@ impl McpCli {

 async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Result<()> {
    // Validate any provided overrides even though they are not currently applied.
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
        .await
        .context("failed to load configuration")?;
@@ -310,7 +312,9 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
 }

 async fn run_remove(config_overrides: &CliConfigOverrides, remove_args: RemoveArgs) -> Result<()> {
-    config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;

    let RemoveArgs { name } = remove_args;

@@ -341,13 +345,17 @@ async fn run_remove(config_overrides: &CliConfigOverrides, remove_args: RemoveAr
 }

 async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
        .await
        .context("failed to load configuration")?;

    if !config.features.enabled(Feature::RmcpClient) {
-        bail!("OAuth login is only supported when [feature].rmcp_client is true in config.toml.");
+        bail!(
+            "OAuth login is only supported when [features].rmcp_client is true in config.toml. See https://github.com/openai/codex/blob/main/docs/config.md#feature-flags for details."
+        );
    }

    let LoginArgs { name, scopes } = login_args;
@@ -380,7 +388,9 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
 }

 async fn run_logout(config_overrides: &CliConfigOverrides, logout_args: LogoutArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
        .await
        .context("failed to load configuration")?;
@@ -407,7 +417,9 @@ async fn run_logout(config_overrides: &CliConfigOverrides, logout_args: LogoutAr
 }

 async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
        .await
        .context("failed to load configuration")?;
@@ -662,7 +674,9 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
 }

 async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
        .await
        .context("failed to load configuration")?;
--- a/codex-rs/cli/src/wsl_paths.rs
+++ b/codex-rs/cli/src/wsl_paths.rs
@@ -0,0 +1,76 @@
+use std::ffi::OsStr;
+
+/// WSL-specific path helpers used by the updater logic.
+///
+/// See https://github.com/openai/codex/issues/6086.
+pub fn is_wsl() -> bool {
+    #[cfg(target_os = "linux")]
+    {
+        if std::env::var_os("WSL_DISTRO_NAME").is_some() {
+            return true;
+        }
+        match std::fs::read_to_string("/proc/version") {
+            Ok(version) => version.to_lowercase().contains("microsoft"),
+            Err(_) => false,
+        }
+    }
+    #[cfg(not(target_os = "linux"))]
+    {
+        false
+    }
+}
+
+/// Convert a Windows absolute path (`C:\foo\bar` or `C:/foo/bar`) to a WSL mount path (`/mnt/c/foo/bar`).
+/// Returns `None` if the input does not look like a Windows drive path.
+pub fn win_path_to_wsl(path: &str) -> Option<String> {
+    let bytes = path.as_bytes();
+    if bytes.len() < 3
+        || bytes[1] != b':'
+        || !(bytes[2] == b'\\' || bytes[2] == b'/')
+        || !bytes[0].is_ascii_alphabetic()
+    {
+        return None;
+    }
+    let drive = (bytes[0] as char).to_ascii_lowercase();
+    let tail = path[3..].replace('\\', "/");
+    if tail.is_empty() {
+        return Some(format!("/mnt/{drive}"));
+    }
+    Some(format!("/mnt/{drive}/{tail}"))
+}
+
+/// If under WSL and given a Windows-style path, return the equivalent `/mnt/<drive>/…` path.
+/// Otherwise returns the input unchanged.
+pub fn normalize_for_wsl<P: AsRef<OsStr>>(path: P) -> String {
+    let value = path.as_ref().to_string_lossy().to_string();
+    if !is_wsl() {
+        return value;
+    }
+    if let Some(mapped) = win_path_to_wsl(&value) {
+        return mapped;
+    }
+    value
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn win_to_wsl_basic() {
+        assert_eq!(
+            win_path_to_wsl(r"C:\Temp\codex.zip").as_deref(),
+            Some("/mnt/c/Temp/codex.zip")
+        );
+        assert_eq!(
+            win_path_to_wsl("D:/Work/codex.tgz").as_deref(),
+            Some("/mnt/d/Work/codex.tgz")
+        );
+        assert!(win_path_to_wsl("/home/user/codex").is_none());
+    }
+
+    #[test]
+    fn normalize_is_noop_on_unix_paths() {
+        assert_eq!(normalize_for_wsl("/home/u/x"), "/home/u/x");
+    }
+}
--- a/codex-rs/cloud-tasks-client/Cargo.toml
+++ b/codex-rs/cloud-tasks-client/Cargo.toml
@@ -22,6 +22,6 @@ chrono = { version = "0.4", features = ["serde"] }
 diffy = "0.4.2"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-thiserror = "2.0.12"
+thiserror = "2.0.17"
 codex-backend-client = { path = "../backend-client", optional = true }
 codex-git = { workspace = true }
--- a/codex-rs/cloud-tasks/src/lib.rs
+++ b/codex-rs/cloud-tasks/src/lib.rs
@@ -1044,7 +1044,7 @@ pub async fn run_main(cli: Cli, _codex_linux_sandbox_exe: Option<PathBuf>) -> an
                            // Close task modal/pending apply if present before opening env modal
                            app.diff_overlay = None;
                            app.env_modal = Some(app::EnvModalState { query: String::new(), selected: 0 });
-                            // Cache environments until user explicitly refreshes with 'r' inside the modal.
+                            // Cache environments while the modal is open to avoid repeated fetches.
                            let should_fetch = app.environments.is_empty();
                            if should_fetch {
                                app.env_loading = true;
@@ -1115,7 +1115,7 @@ pub async fn run_main(cli: Cli, _codex_linux_sandbox_exe: Option<PathBuf>) -> an
                                                    let _ = tx.send(evt);
                                                });
                                            } else {
-                                                app.status = "No environment selected (press 'e' to choose)".to_string();
+                                                app.status = "No environment selected".to_string();
                                            }
                                    }
                                    needs_redraw = true;
@@ -1313,18 +1313,6 @@ pub async fn run_main(cli: Cli, _codex_linux_sandbox_exe: Option<PathBuf>) -> an
                            // Environment modal key handling
                            match key.code {
                                KeyCode::Esc => { app.env_modal = None; needs_redraw = true; }
-                                KeyCode::Char('r') | KeyCode::Char('R') => {
-                                    // Trigger refresh of environments
-                                    app.env_loading = true; app.env_error = None; needs_redraw = true;
-                                    let _ = frame_tx.send(Instant::now() + Duration::from_millis(100));
-                                    let tx = tx.clone();
-                                    tokio::spawn(async move {
-            let base_url = crate::util::normalize_base_url(&std::env::var("CODEX_CLOUD_TASKS_BASE_URL").unwrap_or_else(|_| "https://chatgpt.com/backend-api".to_string()));
-            let headers = crate::util::build_chatgpt_headers().await;
-                                        let res = crate::env_detect::list_environments(&base_url, &headers).await;
-                                        let _ = tx.send(app::AppEvent::EnvironmentsLoaded(res));
-                                    });
-                                }
                                KeyCode::Char(ch) if !key.modifiers.contains(KeyModifiers::CONTROL) && !key.modifiers.contains(KeyModifiers::ALT) => {
                                    if let Some(m) = app.env_modal.as_mut() { m.query.push(ch); }
                                    needs_redraw = true;
@@ -1431,7 +1419,7 @@ pub async fn run_main(cli: Cli, _codex_linux_sandbox_exe: Option<PathBuf>) -> an
                                }
                                KeyCode::Char('o') | KeyCode::Char('O') => {
                                    app.env_modal = Some(app::EnvModalState { query: String::new(), selected: 0 });
-                                    // Cache environments until user explicitly refreshes with 'r' inside the modal.
+                                    // Cache environments while the modal is open to avoid repeated fetches.
                                    let should_fetch = app.environments.is_empty();
                                    if should_fetch { app.env_loading = true; app.env_error = None; }
                                    needs_redraw = true;
--- a/codex-rs/cloud-tasks/src/ui.rs
+++ b/codex-rs/cloud-tasks/src/ui.rs
@@ -945,9 +945,7 @@ pub fn draw_env_modal(frame: &mut Frame, area: Rect, app: &mut App) {

    // Subheader with usage hints (dim cyan)
    let subheader = Paragraph::new(Line::from(
-        "Type to search, Enter select, Esc cancel; r refresh"
-            .cyan()
-            .dim(),
+        "Type to search, Enter select, Esc cancel".cyan().dim(),
    ))
    .wrap(Wrap { trim: true });
    frame.render_widget(subheader, rows[0]);
--- a/codex-rs/common/src/model_presets.rs
+++ b/codex-rs/common/src/model_presets.rs
@@ -34,7 +34,7 @@ const PRESETS: &[ModelPreset] = &[
        id: "gpt-5-codex",
        model: "gpt-5-codex",
        display_name: "gpt-5-codex",
-        description: "Optimized for coding tasks with many tools.",
+        description: "Optimized for codex.",
        default_reasoning_effort: ReasoningEffort::Medium,
        supported_reasoning_efforts: &[
            ReasoningEffortPreset {
@@ -52,6 +52,24 @@ const PRESETS: &[ModelPreset] = &[
        ],
        is_default: true,
    },
+    ModelPreset {
+        id: "gpt-5-codex-mini",
+        model: "gpt-5-codex-mini",
+        display_name: "gpt-5-codex-mini",
+        description: "Optimized for codex. Cheaper, faster, but less capable.",
+        default_reasoning_effort: ReasoningEffort::Medium,
+        supported_reasoning_efforts: &[
+            ReasoningEffortPreset {
+                effort: ReasoningEffort::Medium,
+                description: "Dynamically adjusts reasoning based on the task",
+            },
+            ReasoningEffortPreset {
+                effort: ReasoningEffort::High,
+                description: "Maximizes reasoning depth for complex or ambiguous problems",
+            },
+        ],
+        is_default: false,
+    },
    ModelPreset {
        id: "gpt-5",
        model: "gpt-5",
@@ -80,8 +98,13 @@ const PRESETS: &[ModelPreset] = &[
    },
 ];

-pub fn builtin_model_presets(_auth_mode: Option<AuthMode>) -> Vec<ModelPreset> {
-    PRESETS.to_vec()
+pub fn builtin_model_presets(auth_mode: Option<AuthMode>) -> Vec<ModelPreset> {
+    let allow_codex_mini = matches!(auth_mode, Some(AuthMode::ChatGPT));
+    PRESETS
+        .iter()
+        .filter(|preset| allow_codex_mini || preset.id != "gpt-5-codex-mini")
+        .copied()
+        .collect()
 }

 #[cfg(test)]
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -80,9 +80,10 @@ toml_edit = { workspace = true }
 tracing = { workspace = true, features = ["log"] }
 tree-sitter = { workspace = true }
 tree-sitter-bash = { workspace = true }
-uuid = { workspace = true, features = ["serde", "v4"] }
+uuid = { workspace = true, features = ["serde", "v4", "v5"] }
 which = { workspace = true }
 wildmatch = { workspace = true }
+codex_windows_sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }


 [target.'cfg(target_os = "linux")'.dependencies]
--- a/codex-rs/core/gpt_5_codex_prompt.md
+++ b/codex-rs/core/gpt_5_codex_prompt.md
@@ -16,6 +16,7 @@ You are Codex, based on GPT-5. You are running as a coding agent in the Codex CL
    * If asked to make a commit or code edits and there are unrelated changes to your work or changes that you didn't make in those files, don't revert those changes.
    * If the changes are in files you've touched recently, you should read carefully and understand how you can work with the changes rather than reverting them.
    * If the changes are in unrelated files, just ignore them and don't revert them.
+- Do not amend a commit unless explicitly requested to do so.
 - While you are working, you might notice unexpected changes that you didn't make. If this happens, STOP IMMEDIATELY and ask the user how they would like to proceed.
 - **NEVER** use destructive commands like `git reset --hard` or `git checkout --` unless specifically requested or approved by the user.

--- a/codex-rs/core/review_prompt.md
+++ b/codex-rs/core/review_prompt.md
@@ -82,6 +82,6 @@ OUTPUT FORMAT:

 * **Do not** wrap the JSON in markdown fences or extra prose.
 * The code_location field is required and must include absolute_file_path and line_range.
-*Line ranges must be as short as possible for interpreting the issue (avoid ranges over 5–10 lines; pick the most suitable subrange).
+* Line ranges must be as short as possible for interpreting the issue (avoid ranges over 5–10 lines; pick the most suitable subrange).
 * The code_location should overlap with the diff.
-* Do not generate a PR fix.
+* Do not generate a PR fix.
--- a/codex-rs/core/src/auth.rs
+++ b/codex-rs/core/src/auth.rs
@@ -1,12 +1,14 @@
 mod storage;

 use chrono::Utc;
+use reqwest::StatusCode;
 use serde::Deserialize;
 use serde::Serialize;
 #[cfg(test)]
 use serial_test::serial;
 use std::env;
 use std::fmt::Debug;
+use std::io::ErrorKind;
 use std::path::Path;
 use std::path::PathBuf;
 use std::sync::Arc;
@@ -22,10 +24,16 @@ use crate::auth::storage::AuthStorageBackend;
 use crate::auth::storage::create_auth_storage;
 use crate::config::Config;
 use crate::default_client::CodexHttpClient;
-use crate::token_data::PlanType;
+use crate::error::RefreshTokenFailedError;
+use crate::error::RefreshTokenFailedReason;
+use crate::token_data::KnownPlan as InternalKnownPlan;
+use crate::token_data::PlanType as InternalPlanType;
 use crate::token_data::TokenData;
 use crate::token_data::parse_id_token;
 use crate::util::try_parse_error_message;
+use codex_protocol::account::PlanType as AccountPlanType;
+use serde_json::Value;
+use thiserror::Error;

 #[derive(Debug, Clone)]
 pub struct CodexAuth {
@@ -46,18 +54,54 @@ impl PartialEq for CodexAuth {
 // TODO(pakrym): use token exp field to check for expiration instead
 const TOKEN_REFRESH_INTERVAL: i64 = 8;

+const REFRESH_TOKEN_EXPIRED_MESSAGE: &str = "Your access token could not be refreshed because your refresh token has expired. Please log out and sign in again.";
+const REFRESH_TOKEN_REUSED_MESSAGE: &str = "Your access token could not be refreshed because your refresh token was already used. Please log out and sign in again.";
+const REFRESH_TOKEN_INVALIDATED_MESSAGE: &str = "Your access token could not be refreshed because your refresh token was revoked. Please log out and sign in again.";
+const REFRESH_TOKEN_UNKNOWN_MESSAGE: &str =
+    "Your access token could not be refreshed. Please log out and sign in again.";
+const REFRESH_TOKEN_URL: &str = "https://auth.openai.com/oauth/token";
+pub const REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR: &str = "CODEX_REFRESH_TOKEN_URL_OVERRIDE";
+
+#[derive(Debug, Error)]
+pub enum RefreshTokenError {
+    #[error("{0}")]
+    Permanent(#[from] RefreshTokenFailedError),
+    #[error(transparent)]
+    Transient(#[from] std::io::Error),
+}
+
+impl RefreshTokenError {
+    pub fn failed_reason(&self) -> Option<RefreshTokenFailedReason> {
+        match self {
+            Self::Permanent(error) => Some(error.reason),
+            Self::Transient(_) => None,
+        }
+    }
+
+    fn other_with_message(message: impl Into<String>) -> Self {
+        Self::Transient(std::io::Error::other(message.into()))
+    }
+}
+
+impl From<RefreshTokenError> for std::io::Error {
+    fn from(err: RefreshTokenError) -> Self {
+        match err {
+            RefreshTokenError::Permanent(failed) => std::io::Error::other(failed),
+            RefreshTokenError::Transient(inner) => inner,
+        }
+    }
+}
+
 impl CodexAuth {
-    pub async fn refresh_token(&self) -> Result<String, std::io::Error> {
+    pub async fn refresh_token(&self) -> Result<String, RefreshTokenError> {
        tracing::info!("Refreshing token");

-        let token_data = self
-            .get_current_token_data()
-            .ok_or(std::io::Error::other("Token data is not available."))?;
+        let token_data = self.get_current_token_data().ok_or_else(|| {
+            RefreshTokenError::Transient(std::io::Error::other("Token data is not available."))
+        })?;
        let token = token_data.refresh_token;

-        let refresh_response = try_refresh_token(token, &self.client)
-            .await
-            .map_err(std::io::Error::other)?;
+        let refresh_response = try_refresh_token(token, &self.client).await?;

        let updated = update_tokens(
            &self.storage,
@@ -65,7 +109,8 @@ impl CodexAuth {
            refresh_response.access_token,
            refresh_response.refresh_token,
        )
-        .await?;
+        .await
+        .map_err(RefreshTokenError::from)?;

        if let Ok(mut auth_lock) = self.auth_dot_json.lock() {
            *auth_lock = Some(updated.clone());
@@ -74,7 +119,7 @@ impl CodexAuth {
        let access = match updated.tokens {
            Some(t) => t.access_token,
            None => {
-                return Err(std::io::Error::other(
+                return Err(RefreshTokenError::other_with_message(
                    "Token data is not available after refresh.",
                ));
            }
@@ -99,15 +144,21 @@ impl CodexAuth {
                ..
            }) => {
                if last_refresh < Utc::now() - chrono::Duration::days(TOKEN_REFRESH_INTERVAL) {
-                    let refresh_response = tokio::time::timeout(
+                    let refresh_result = tokio::time::timeout(
                        Duration::from_secs(60),
                        try_refresh_token(tokens.refresh_token.clone(), &self.client),
                    )
-                    .await
-                    .map_err(|_| {
-                        std::io::Error::other("timed out while refreshing OpenAI API key")
-                    })?
-                    .map_err(std::io::Error::other)?;
+                    .await;
+                    let refresh_response = match refresh_result {
+                        Ok(Ok(response)) => response,
+                        Ok(Err(err)) => return Err(err.into()),
+                        Err(_) => {
+                            return Err(std::io::Error::new(
+                                ErrorKind::TimedOut,
+                                "timed out while refreshing OpenAI API key",
+                            ));
+                        }
+                    };

                    let updated_auth_dot_json = update_tokens(
                        &self.storage,
@@ -153,7 +204,34 @@ impl CodexAuth {
        self.get_current_token_data().and_then(|t| t.id_token.email)
    }

-    pub(crate) fn get_plan_type(&self) -> Option<PlanType> {
+    /// Account-facing plan classification derived from the current token.
+    /// Returns a high-level `AccountPlanType` (e.g., Free/Plus/Pro/Team/…)
+    /// mapped from the ID token's internal plan value. Prefer this when you
+    /// need to make UI or product decisions based on the user's subscription.
+    pub fn account_plan_type(&self) -> Option<AccountPlanType> {
+        let map_known = |kp: &InternalKnownPlan| match kp {
+            InternalKnownPlan::Free => AccountPlanType::Free,
+            InternalKnownPlan::Plus => AccountPlanType::Plus,
+            InternalKnownPlan::Pro => AccountPlanType::Pro,
+            InternalKnownPlan::Team => AccountPlanType::Team,
+            InternalKnownPlan::Business => AccountPlanType::Business,
+            InternalKnownPlan::Enterprise => AccountPlanType::Enterprise,
+            InternalKnownPlan::Edu => AccountPlanType::Edu,
+        };
+
+        self.get_current_token_data()
+            .and_then(|t| t.id_token.chatgpt_plan_type)
+            .map(|pt| match pt {
+                InternalPlanType::Known(k) => map_known(&k),
+                InternalPlanType::Unknown(_) => AccountPlanType::Unknown,
+            })
+    }
+
+    /// Raw internal plan value from the ID token.
+    /// Exposes the underlying `token_data::PlanType` without mapping it to the
+    /// public `AccountPlanType`. Use this when downstream code needs to inspect
+    /// internal/unknown plan strings exactly as issued in the token.
+    pub(crate) fn get_plan_type(&self) -> Option<InternalPlanType> {
        self.get_current_token_data()
            .and_then(|t| t.id_token.chatgpt_plan_type)
    }
@@ -425,7 +503,7 @@ async fn update_tokens(
 async fn try_refresh_token(
    refresh_token: String,
    client: &CodexHttpClient,
-) -> std::io::Result<RefreshResponse> {
+) -> Result<RefreshResponse, RefreshTokenError> {
    let refresh_request = RefreshRequest {
        client_id: CLIENT_ID,
        grant_type: "refresh_token",
@@ -433,30 +511,93 @@ async fn try_refresh_token(
        scope: "openid profile email",
    };

+    let endpoint = refresh_token_endpoint();
+
    // Use shared client factory to include standard headers
    let response = client
-        .post("https://auth.openai.com/oauth/token")
+        .post(endpoint.as_str())
        .header("Content-Type", "application/json")
        .json(&refresh_request)
        .send()
        .await
-        .map_err(std::io::Error::other)?;
+        .map_err(|err| RefreshTokenError::Transient(std::io::Error::other(err)))?;

-    if response.status().is_success() {
+    let status = response.status();
+    if status.is_success() {
        let refresh_response = response
            .json::<RefreshResponse>()
            .await
-            .map_err(std::io::Error::other)?;
+            .map_err(|err| RefreshTokenError::Transient(std::io::Error::other(err)))?;
        Ok(refresh_response)
    } else {
-        Err(std::io::Error::other(format!(
-            "Failed to refresh token: {}: {}",
-            response.status(),
-            try_parse_error_message(&response.text().await.unwrap_or_default()),
-        )))
+        let body = response.text().await.unwrap_or_default();
+        if status == StatusCode::UNAUTHORIZED {
+            let failed = classify_refresh_token_failure(&body);
+            Err(RefreshTokenError::Permanent(failed))
+        } else {
+            let message = try_parse_error_message(&body);
+            Err(RefreshTokenError::Transient(std::io::Error::other(
+                format!("Failed to refresh token: {status}: {message}"),
+            )))
+        }
    }
 }

+fn classify_refresh_token_failure(body: &str) -> RefreshTokenFailedError {
+    let code = extract_refresh_token_error_code(body);
+
+    let normalized_code = code.as_deref().map(str::to_ascii_lowercase);
+    let reason = match normalized_code.as_deref() {
+        Some("refresh_token_expired") => RefreshTokenFailedReason::Expired,
+        Some("refresh_token_reused") => RefreshTokenFailedReason::Exhausted,
+        Some("refresh_token_invalidated") => RefreshTokenFailedReason::Revoked,
+        _ => RefreshTokenFailedReason::Other,
+    };
+
+    if reason == RefreshTokenFailedReason::Other {
+        tracing::warn!(
+            backend_code = normalized_code.as_deref(),
+            backend_body = body,
+            "Encountered unknown 401 response while refreshing token"
+        );
+    }
+
+    let message = match reason {
+        RefreshTokenFailedReason::Expired => REFRESH_TOKEN_EXPIRED_MESSAGE.to_string(),
+        RefreshTokenFailedReason::Exhausted => REFRESH_TOKEN_REUSED_MESSAGE.to_string(),
+        RefreshTokenFailedReason::Revoked => REFRESH_TOKEN_INVALIDATED_MESSAGE.to_string(),
+        RefreshTokenFailedReason::Other => REFRESH_TOKEN_UNKNOWN_MESSAGE.to_string(),
+    };
+
+    RefreshTokenFailedError::new(reason, message)
+}
+
+fn extract_refresh_token_error_code(body: &str) -> Option<String> {
+    if body.trim().is_empty() {
+        return None;
+    }
+
+    let Value::Object(map) = serde_json::from_str::<Value>(body).ok()? else {
+        return None;
+    };
+
+    if let Some(error_value) = map.get("error") {
+        match error_value {
+            Value::Object(obj) => {
+                if let Some(code) = obj.get("code").and_then(Value::as_str) {
+                    return Some(code.to_string());
+                }
+            }
+            Value::String(code) => {
+                return Some(code.to_string());
+            }
+            _ => {}
+        }
+    }
+
+    map.get("code").and_then(Value::as_str).map(str::to_string)
+}
+
 #[derive(Serialize)]
 struct RefreshRequest {
    client_id: &'static str,
@@ -475,6 +616,11 @@ struct RefreshResponse {
 // Shared constant for token refresh (client id used for oauth token refresh flow)
 pub const CLIENT_ID: &str = "app_EMoamEEZ73f0CkXaXp7hrann";

+fn refresh_token_endpoint() -> String {
+    std::env::var(REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR)
+        .unwrap_or_else(|_| REFRESH_TOKEN_URL.to_string())
+}
+
 use std::sync::RwLock;

 /// Internal cached auth state.
@@ -492,8 +638,9 @@ mod tests {
    use crate::config::ConfigOverrides;
    use crate::config::ConfigToml;
    use crate::token_data::IdTokenInfo;
-    use crate::token_data::KnownPlan;
-    use crate::token_data::PlanType;
+    use crate::token_data::KnownPlan as InternalKnownPlan;
+    use crate::token_data::PlanType as InternalPlanType;
+    use codex_protocol::account::PlanType as AccountPlanType;

    use base64::Engine;
    use codex_protocol::config_types::ForcedLoginMethod;
@@ -610,7 +757,7 @@ mod tests {
                tokens: Some(TokenData {
                    id_token: IdTokenInfo {
                        email: Some("user@example.com".to_string()),
-                        chatgpt_plan_type: Some(PlanType::Known(KnownPlan::Pro)),
+                        chatgpt_plan_type: Some(InternalPlanType::Known(InternalKnownPlan::Pro)),
                        chatgpt_account_id: None,
                        raw_jwt: fake_jwt,
                    },
@@ -864,6 +1011,54 @@ mod tests {
                .contains("ChatGPT login is required, but an API key is currently being used.")
        );
    }
+
+    #[test]
+    fn plan_type_maps_known_plan() {
+        let codex_home = tempdir().unwrap();
+        let _jwt = write_auth_file(
+            AuthFileParams {
+                openai_api_key: None,
+                chatgpt_plan_type: "pro".to_string(),
+                chatgpt_account_id: None,
+            },
+            codex_home.path(),
+        )
+        .expect("failed to write auth file");
+
+        let auth = super::load_auth(codex_home.path(), false, AuthCredentialsStoreMode::File)
+            .expect("load auth")
+            .expect("auth available");
+
+        pretty_assertions::assert_eq!(auth.account_plan_type(), Some(AccountPlanType::Pro));
+        pretty_assertions::assert_eq!(
+            auth.get_plan_type(),
+            Some(InternalPlanType::Known(InternalKnownPlan::Pro))
+        );
+    }
+
+    #[test]
+    fn plan_type_maps_unknown_to_unknown() {
+        let codex_home = tempdir().unwrap();
+        let _jwt = write_auth_file(
+            AuthFileParams {
+                openai_api_key: None,
+                chatgpt_plan_type: "mystery-tier".to_string(),
+                chatgpt_account_id: None,
+            },
+            codex_home.path(),
+        )
+        .expect("failed to write auth file");
+
+        let auth = super::load_auth(codex_home.path(), false, AuthCredentialsStoreMode::File)
+            .expect("load auth")
+            .expect("auth available");
+
+        pretty_assertions::assert_eq!(auth.account_plan_type(), Some(AccountPlanType::Unknown));
+        pretty_assertions::assert_eq!(
+            auth.get_plan_type(),
+            Some(InternalPlanType::Unknown("mystery-tier".to_string()))
+        );
+    }
 }

 /// Central manager providing a single source of truth for auth.json derived
@@ -965,7 +1160,9 @@ impl AuthManager {

    /// Attempt to refresh the current auth token (if any). On success, reload
    /// the auth state from disk so other components observe refreshed token.
-    pub async fn refresh_token(&self) -> std::io::Result<Option<String>> {
+    /// If the token refresh fails in a permanent (non‑transient) way, logs out
+    /// to clear invalid auth state.
+    pub async fn refresh_token(&self) -> Result<Option<String>, RefreshTokenError> {
        let auth = match self.auth() {
            Some(a) => a,
            None => return Ok(None),
--- a/codex-rs/core/src/client.rs
+++ b/codex-rs/core/src/client.rs
@@ -31,6 +31,7 @@ use tracing::warn;

 use crate::AuthManager;
 use crate::auth::CodexAuth;
+use crate::auth::RefreshTokenError;
 use crate::chat_completions::AggregateStreamExt;
 use crate::chat_completions::stream_chat_completions;
 use crate::client_common::Prompt;
@@ -216,10 +217,12 @@ impl ModelClient {
        let verbosity = if self.config.model_family.support_verbosity {
            self.config.model_verbosity
        } else {
-            warn!(
-                "model_verbosity is set but ignored as the model does not support verbosity: {}",
-                self.config.model_family.family
-            );
+            if self.config.model_verbosity.is_some() {
+                warn!(
+                    "model_verbosity is set but ignored as the model does not support verbosity: {}",
+                    self.config.model_family.family
+                );
+            }
            None
        };

@@ -387,12 +390,17 @@ impl ModelClient {
                    && let Some(manager) = auth_manager.as_ref()
                    && let Some(auth) = auth.as_ref()
                    && auth.mode == AuthMode::ChatGPT
+                    && let Err(err) = manager.refresh_token().await
                {
-                    manager.refresh_token().await.map_err(|err| {
-                        StreamAttemptError::Fatal(CodexErr::Fatal(format!(
-                            "Failed to refresh ChatGPT credentials: {err}"
-                        )))
-                    })?;
+                    let stream_error = match err {
+                        RefreshTokenError::Permanent(failed) => {
+                            StreamAttemptError::Fatal(CodexErr::RefreshTokenFailed(failed))
+                        }
+                        RefreshTokenError::Transient(other) => {
+                            StreamAttemptError::RetryableTransportError(CodexErr::Io(other))
+                        }
+                    };
+                    return Err(stream_error);
                }

                // The OpenAI Responses endpoint returns structured JSON bodies even for 4xx/5xx
@@ -439,6 +447,8 @@ impl ModelClient {
                            return Err(StreamAttemptError::Fatal(codex_err));
                        } else if error.r#type.as_deref() == Some("usage_not_included") {
                            return Err(StreamAttemptError::Fatal(CodexErr::UsageNotIncluded));
+                        } else if is_quota_exceeded_error(&error) {
+                            return Err(StreamAttemptError::Fatal(CodexErr::QuotaExceeded));
                        }
                    }
                }
@@ -836,6 +846,8 @@ async fn process_sse<S>(
                            Ok(error) => {
                                if is_context_window_error(&error) {
                                    response_error = Some(CodexErr::ContextWindowExceeded);
+                                } else if is_quota_exceeded_error(&error) {
+                                    response_error = Some(CodexErr::QuotaExceeded);
                                } else {
                                    let delay = try_parse_retry_after(&error);
                                    let message = error.message.clone().unwrap_or_default();
@@ -929,8 +941,10 @@ async fn stream_from_fixture(
 fn rate_limit_regex() -> &'static Regex {
    static RE: OnceLock<Regex> = OnceLock::new();

+    // Match both OpenAI-style messages like "Please try again in 1.898s"
+    // and Azure OpenAI-style messages like "Try again in 35 seconds".
    #[expect(clippy::unwrap_used)]
-    RE.get_or_init(|| Regex::new(r"Please try again in (\d+(?:\.\d+)?)(s|ms)").unwrap())
+    RE.get_or_init(|| Regex::new(r"(?i)try again in\s*(\d+(?:\.\d+)?)\s*(s|ms|seconds?)").unwrap())
 }

 fn try_parse_retry_after(err: &Error) -> Option<Duration> {
@@ -938,7 +952,8 @@ fn try_parse_retry_after(err: &Error) -> Option<Duration> {
        return None;
    }

-    // parse the Please try again in 1.898s format using regex
+    // parse retry hints like "try again in 1.898s" or
+    // "Try again in 35 seconds" using regex
    let re = rate_limit_regex();
    if let Some(message) = &err.message
        && let Some(captures) = re.captures(message)
@@ -948,9 +963,9 @@ fn try_parse_retry_after(err: &Error) -> Option<Duration> {

        if let (Some(value), Some(unit)) = (seconds, unit) {
            let value = value.as_str().parse::<f64>().ok()?;
-            let unit = unit.as_str();
+            let unit = unit.as_str().to_ascii_lowercase();

-            if unit == "s" {
+            if unit == "s" || unit.starts_with("second") {
                return Some(Duration::from_secs_f64(value));
            } else if unit == "ms" {
                return Some(Duration::from_millis(value as u64));
@@ -964,6 +979,10 @@ fn is_context_window_error(error: &Error) -> bool {
    error.code.as_deref() == Some("context_length_exceeded")
 }

+fn is_quota_exceeded_error(error: &Error) -> bool {
+    error.code.as_deref() == Some("insufficient_quota")
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -1296,6 +1315,41 @@ mod tests {
        }
    }

+    #[tokio::test]
+    async fn quota_exceeded_error_is_fatal() {
+        let raw_error = r#"{"type":"response.failed","sequence_number":3,"response":{"id":"resp_fatal_quota","object":"response","created_at":1759771626,"status":"failed","background":false,"error":{"code":"insufficient_quota","message":"You exceeded your current quota, please check your plan and billing details. For more information on this error, read the docs: https://platform.openai.com/docs/guides/error-codes/api-errors."},"incomplete_details":null}}"#;
+
+        let sse1 = format!("event: response.failed\ndata: {raw_error}\n\n");
+        let provider = ModelProviderInfo {
+            name: "test".to_string(),
+            base_url: Some("https://test.com".to_string()),
+            env_key: Some("TEST_API_KEY".to_string()),
+            env_key_instructions: None,
+            experimental_bearer_token: None,
+            wire_api: WireApi::Responses,
+            query_params: None,
+            http_headers: None,
+            env_http_headers: None,
+            request_max_retries: Some(0),
+            stream_max_retries: Some(0),
+            stream_idle_timeout_ms: Some(1000),
+            requires_openai_auth: false,
+        };
+
+        let otel_event_manager = otel_event_manager();
+
+        let events = collect_events(&[sse1.as_bytes()], provider, otel_event_manager).await;
+
+        assert_eq!(events.len(), 1);
+
+        match &events[0] {
+            Err(err @ CodexErr::QuotaExceeded) => {
+                assert_eq!(err.to_string(), CodexErr::QuotaExceeded.to_string());
+            }
+            other => panic!("unexpected quota exceeded event: {other:?}"),
+        }
+    }
+
    // ────────────────────────────
    // Table-driven test from `main`
    // ────────────────────────────
@@ -1425,6 +1479,19 @@ mod tests {
        assert_eq!(delay, Some(Duration::from_secs_f64(1.898)));
    }

+    #[test]
+    fn test_try_parse_retry_after_azure() {
+        let err = Error {
+            r#type: None,
+            message: Some("Rate limit exceeded. Try again in 35 seconds.".to_string()),
+            code: Some("rate_limit_exceeded".to_string()),
+            plan_type: None,
+            resets_at: None,
+        };
+        let delay = try_parse_retry_after(&err);
+        assert_eq!(delay, Some(Duration::from_secs(35)));
+    }
+
    #[test]
    fn error_response_deserializes_schema_known_plan_type_and_serializes_back() {
        use crate::token_data::KnownPlan;
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -58,7 +58,7 @@ use crate::client_common::ResponseEvent;
 use crate::config::Config;
 use crate::config::types::McpServerTransportConfig;
 use crate::config::types::ShellEnvironmentPolicy;
-use crate::conversation_history::ConversationHistory;
+use crate::context_manager::ContextManager;
 use crate::environment_context::EnvironmentContext;
 use crate::error::CodexErr;
 use crate::error::Result as CodexResult;
@@ -116,7 +116,6 @@ use crate::user_instructions::DeveloperInstructions;
 use crate::user_instructions::UserInstructions;
 use crate::user_notification::UserNotification;
 use crate::util::backoff;
-use chrono::Local;
 use codex_async_utils::OrCancelExt;
 use codex_otel::otel_event_manager::OtelEventManager;
 use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
@@ -268,7 +267,6 @@ pub(crate) struct TurnContext {
    /// the model as well as sandbox policies are resolved against this path
    /// instead of `std::env::current_dir()`.
    pub(crate) cwd: PathBuf,
-    pub(crate) local_date_with_timezone: Option<String>,
    pub(crate) developer_instructions: Option<String>,
    pub(crate) base_instructions: Option<String>,
    pub(crate) compact_prompt: Option<String>,
@@ -425,7 +423,6 @@ impl Session {
            sub_id,
            client,
            cwd: session_configuration.cwd.clone(),
-            local_date_with_timezone: Some(Local::now().format("%Y-%m-%d %:z").to_string()),
            developer_instructions: session_configuration.developer_instructions.clone(),
            base_instructions: session_configuration.base_instructions.clone(),
            compact_prompt: session_configuration.compact_prompt.clone(),
@@ -556,7 +553,7 @@ impl Session {
                None
            } else {
                Some(format!(
-                    "You can either enable it using the CLI with `--enable {canonical}` or through the config.toml file with `[features].{canonical}`"
+                    "Enable it with `--enable {canonical}` or `[features].{canonical}` in config.toml. See https://github.com/openai/codex/blob/main/docs/config.md#feature-flags for details."
                ))
            };
            post_session_configured_events.push(Event {
@@ -948,7 +945,7 @@ impl Session {
        turn_context: &TurnContext,
        rollout_items: &[RolloutItem],
    ) -> Vec<ResponseItem> {
-        let mut history = ConversationHistory::new();
+        let mut history = ContextManager::new();
        for item in rollout_items {
            match item {
                RolloutItem::ResponseItem(response_item) => {
@@ -1006,11 +1003,16 @@ impl Session {
            items.push(DeveloperInstructions::new(developer_instructions.to_string()).into());
        }
        if let Some(user_instructions) = turn_context.user_instructions.as_deref() {
-            items.push(UserInstructions::new(user_instructions.to_string()).into());
+            items.push(
+                UserInstructions {
+                    text: user_instructions.to_string(),
+                    directory: turn_context.cwd.to_string_lossy().into_owned(),
+                }
+                .into(),
+            );
        }
        items.push(ResponseItem::from(EnvironmentContext::new(
            Some(turn_context.cwd.clone()),
-            turn_context.local_date_with_timezone.clone(),
            Some(turn_context.approval_policy),
            Some(turn_context.sandbox_policy.clone()),
            Some(self.user_shell().clone()),
@@ -1030,7 +1032,7 @@ impl Session {
        }
    }

-    pub(crate) async fn clone_history(&self) -> ConversationHistory {
+    pub(crate) async fn clone_history(&self) -> ContextManager {
        let state = self.state.lock().await;
        state.clone_history()
    }
@@ -1641,8 +1643,7 @@ async fn spawn_review_thread(
    let mut review_features = config.features.clone();
    review_features
        .disable(crate::features::Feature::WebSearchRequest)
-        .disable(crate::features::Feature::ViewImageTool)
-        .disable(crate::features::Feature::StreamableShell);
+        .disable(crate::features::Feature::ViewImageTool);
    let tools_config = ToolsConfig::new(&ToolsConfigParams {
        model_family: &review_model_family,
        features: &review_features,
@@ -1696,7 +1697,6 @@ async fn spawn_review_thread(
        sandbox_policy: parent_turn_context.sandbox_policy.clone(),
        shell_environment_policy: parent_turn_context.shell_environment_policy.clone(),
        cwd: parent_turn_context.cwd.clone(),
-        local_date_with_timezone: parent_turn_context.local_date_with_timezone.clone(),
        final_output_json_schema: None,
        codex_linux_sandbox_exe: parent_turn_context.codex_linux_sandbox_exe.clone(),
        tool_call_gate: Arc::new(ReadinessFlag::new()),
@@ -1772,19 +1772,14 @@ pub(crate) async fn run_task(
            sess.clone_history().await.get_history_for_prompt()
        };

-        let turn_input_messages: Vec<String> = turn_input
+        let turn_input_messages = turn_input
            .iter()
-            .filter_map(|item| match item {
-                ResponseItem::Message { content, .. } => Some(content),
+            .filter_map(|item| match parse_turn_item(item) {
+                Some(TurnItem::UserMessage(user_message)) => Some(user_message),
                _ => None,
            })
-            .flat_map(|content| {
-                content.iter().filter_map(|item| match item {
-                    ContentItem::OutputText { text } => Some(text.clone()),
-                    _ => None,
-                })
-            })
-            .collect();
+            .map(|user_message| user_message.message())
+            .collect::<Vec<String>>();
        match run_turn(
            Arc::clone(&sess),
            Arc::clone(&turn_context),
@@ -1932,6 +1927,8 @@ async fn run_turn(
                return Err(CodexErr::UsageLimitReached(e));
            }
            Err(CodexErr::UsageNotIncluded) => return Err(CodexErr::UsageNotIncluded),
+            Err(e @ CodexErr::QuotaExceeded) => return Err(e),
+            Err(e @ CodexErr::RefreshTokenFailed(_)) => return Err(e),
            Err(e) => {
                // Use the configured provider-specific stream retry budget.
                let max_retries = turn_context.client.get_provider().stream_max_retries();
@@ -1950,7 +1947,7 @@ async fn run_turn(
                    // at a seemingly frozen screen.
                    sess.notify_stream_error(
                        &turn_context,
-                        format!("Re-connecting... {retries}/{max_retries}"),
+                        format!("Reconnecting... {retries}/{max_retries}"),
                    )
                    .await;

@@ -2838,7 +2835,7 @@ mod tests {
        turn_context: &TurnContext,
    ) -> (Vec<RolloutItem>, Vec<ResponseItem>) {
        let mut rollout_items = Vec::new();
-        let mut live_history = ConversationHistory::new();
+        let mut live_history = ContextManager::new();

        let initial_context = session.build_initial_context(turn_context);
        for item in &initial_context {
--- a/codex-rs/core/src/codex/compact.rs
+++ b/codex-rs/core/src/codex/compact.rs
@@ -13,9 +13,9 @@ use crate::protocol::ErrorEvent;
 use crate::protocol::EventMsg;
 use crate::protocol::TaskStartedEvent;
 use crate::protocol::TurnContextItem;
+use crate::protocol::WarningEvent;
 use crate::truncate::truncate_middle;
 use crate::util::backoff;
-use askama::Template;
 use codex_protocol::items::TurnItem;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseInputItem;
@@ -28,13 +28,6 @@ use tracing::error;
 pub const SUMMARIZATION_PROMPT: &str = include_str!("../../templates/compact/prompt.md");
 const COMPACT_USER_MESSAGE_MAX_TOKENS: usize = 20_000;

-#[derive(Template)]
-#[template(path = "compact/history_bridge.md", escape = "none")]
-struct HistoryBridgeTemplate<'a> {
-    user_messages_text: &'a str,
-    summary_text: &'a str,
-}
-
 pub(crate) async fn run_inline_auto_compact_task(
    sess: Arc<Session>,
    turn_context: Arc<TurnContext>,
@@ -149,6 +142,7 @@ async fn run_compact_task_inner(
    let history_snapshot = sess.clone_history().await.get_history();
    let summary_text = get_last_assistant_message_from_turn(&history_snapshot).unwrap_or_default();
    let user_messages = collect_user_messages(&history_snapshot);
+
    let initial_context = sess.build_initial_context(turn_context.as_ref());
    let mut new_history = build_compacted_history(initial_context, &user_messages, &summary_text);
    let ghost_snapshots: Vec<ResponseItem> = history_snapshot
@@ -168,6 +162,11 @@ async fn run_compact_task_inner(
        message: "Compact task completed".to_string(),
    });
    sess.send_event(&turn_context, event).await;
+
+    let warning = EventMsg::Warning(WarningEvent {
+        message: "Heads up: Long conversations and multiple compactions can cause the model to be less accurate. Start new a new conversation when possible to keep conversations small and targeted.".to_string(),
+    });
+    sess.send_event(&turn_context, warning).await;
 }

 pub fn content_items_to_text(content: &[ContentItem]) -> Option<String> {
@@ -218,33 +217,47 @@ fn build_compacted_history_with_limit(
    summary_text: &str,
    max_bytes: usize,
 ) -> Vec<ResponseItem> {
-    let mut user_messages_text = if user_messages.is_empty() {
-        "(none)".to_string()
-    } else {
-        user_messages.join("\n\n")
-    };
-    // Truncate the concatenated prior user messages so the bridge message
-    // stays well under the context window (approx. 4 bytes/token).
-    if user_messages_text.len() > max_bytes {
-        user_messages_text = truncate_middle(&user_messages_text, max_bytes).0;
+    let mut selected_messages: Vec<String> = Vec::new();
+    if max_bytes > 0 {
+        let mut remaining = max_bytes;
+        for message in user_messages.iter().rev() {
+            if remaining == 0 {
+                break;
+            }
+            if message.len() <= remaining {
+                selected_messages.push(message.clone());
+                remaining = remaining.saturating_sub(message.len());
+            } else {
+                let (truncated, _) = truncate_middle(message, remaining);
+                selected_messages.push(truncated);
+                break;
+            }
+        }
+        selected_messages.reverse();
    }
+
+    for message in &selected_messages {
+        history.push(ResponseItem::Message {
+            id: None,
+            role: "user".to_string(),
+            content: vec![ContentItem::InputText {
+                text: message.clone(),
+            }],
+        });
+    }
+
    let summary_text = if summary_text.is_empty() {
        "(no summary available)".to_string()
    } else {
        summary_text.to_string()
    };
-    let Ok(bridge) = HistoryBridgeTemplate {
-        user_messages_text: &user_messages_text,
-        summary_text: &summary_text,
-    }
-    .render() else {
-        return vec![];
-    };
+
    history.push(ResponseItem::Message {
        id: None,
        role: "user".to_string(),
-        content: vec![ContentItem::InputText { text: bridge }],
+        content: vec![ContentItem::InputText { text: summary_text }],
    });
+
    history
 }

@@ -347,7 +360,8 @@ mod tests {
                id: None,
                role: "user".to_string(),
                content: vec![ContentItem::InputText {
-                    text: "<user_instructions>do things</user_instructions>".to_string(),
+                    text: "# AGENTS.md instructions for project\n\n<INSTRUCTIONS>\ndo things\n</INSTRUCTIONS>"
+                        .to_string(),
                }],
            },
            ResponseItem::Message {
@@ -383,30 +397,55 @@ mod tests {
            "SUMMARY",
            max_bytes,
        );
+        assert_eq!(history.len(), 2);

-        // Expect exactly one bridge message added to history (plus any initial context we provided, which is none).
-        assert_eq!(history.len(), 1);
+        let truncated_message = &history[0];
+        let summary_message = &history[1];

-        // Extract the text content of the bridge message.
-        let bridge_text = match &history[0] {
+        let truncated_text = match truncated_message {
            ResponseItem::Message { role, content, .. } if role == "user" => {
                content_items_to_text(content).unwrap_or_default()
            }
            other => panic!("unexpected item in history: {other:?}"),
        };

-        // The bridge should contain the truncation marker and not the full original payload.
        assert!(
-            bridge_text.contains("tokens truncated"),
-            "expected truncation marker in bridge message"
+            truncated_text.contains("tokens truncated"),
+            "expected truncation marker in truncated user message"
        );
        assert!(
-            !bridge_text.contains(&big),
-            "bridge should not include the full oversized user text"
+            !truncated_text.contains(&big),
+            "truncated user message should not include the full oversized user text"
        );
+
+        let summary_text = match summary_message {
+            ResponseItem::Message { role, content, .. } if role == "user" => {
+                content_items_to_text(content).unwrap_or_default()
+            }
+            other => panic!("unexpected item in history: {other:?}"),
+        };
+        assert_eq!(summary_text, "SUMMARY");
+    }
+
+    #[test]
+    fn build_compacted_history_appends_summary_message() {
+        let initial_context: Vec<ResponseItem> = Vec::new();
+        let user_messages = vec!["first user message".to_string()];
+        let summary_text = "summary text";
+
+        let history = build_compacted_history(initial_context, &user_messages, summary_text);
        assert!(
-            bridge_text.contains("SUMMARY"),
-            "bridge should include the provided summary text"
+            !history.is_empty(),
+            "expected compacted history to include summary"
        );
+
+        let last = history.last().expect("history should have a summary entry");
+        let summary = match last {
+            ResponseItem::Message { role, content, .. } if role == "user" => {
+                content_items_to_text(content).unwrap_or_default()
+            }
+            other => panic!("expected summary message, found {other:?}"),
+        };
+        assert_eq!(summary, summary_text);
    }
 }
--- a/codex-rs/core/src/codex_delegate.rs
+++ b/codex-rs/core/src/codex_delegate.rs
@@ -158,6 +158,11 @@ async fn forward_events(
 ) {
    while let Ok(event) = codex.next_event().await {
        match event {
+            // ignore all legacy delta events
+            Event {
+                id: _,
+                msg: EventMsg::AgentMessageDelta(_) | EventMsg::AgentReasoningDelta(_),
+            } => continue,
            Event {
                id: _,
                msg: EventMsg::SessionConfigured(_),
--- a/codex-rs/core/src/config/edit.rs
+++ b/codex-rs/core/src/config/edit.rs
@@ -23,6 +23,8 @@ pub enum ConfigEdit {
    },
    /// Toggle the acknowledgement flag under `[notice]`.
    SetNoticeHideFullAccessWarning(bool),
+    /// Toggle the Windows world-writable directories warning acknowledgement flag.
+    SetNoticeHideWorldWritableWarning(bool),
    /// Toggle the Windows onboarding acknowledgement flag.
    SetWindowsWslSetupAcknowledged(bool),
    /// Replace the entire `[mcp_servers]` table.
@@ -239,6 +241,11 @@ impl ConfigDocument {
                &[Notice::TABLE_KEY, "hide_full_access_warning"],
                value(*acknowledged),
            )),
+            ConfigEdit::SetNoticeHideWorldWritableWarning(acknowledged) => Ok(self.write_value(
+                Scope::Global,
+                &[Notice::TABLE_KEY, "hide_world_writable_warning"],
+                value(*acknowledged),
+            )),
            ConfigEdit::SetWindowsWslSetupAcknowledged(acknowledged) => Ok(self.write_value(
                Scope::Global,
                &["windows_wsl_setup_acknowledged"],
@@ -473,6 +480,12 @@ impl ConfigEditsBuilder {
        self
    }

+    pub fn set_hide_world_writable_warning(mut self, acknowledged: bool) -> Self {
+        self.edits
+            .push(ConfigEdit::SetNoticeHideWorldWritableWarning(acknowledged));
+        self
+    }
+
    pub fn set_windows_wsl_setup_acknowledged(mut self, acknowledged: bool) -> Self {
        self.edits
            .push(ConfigEdit::SetWindowsWslSetupAcknowledged(acknowledged));
--- a/codex-rs/core/src/config/mod.rs
+++ b/codex-rs/core/src/config/mod.rs
@@ -241,8 +241,6 @@ pub struct Config {
    /// When `true`, run a model-based assessment for commands denied by the sandbox.
    pub experimental_sandbox_command_assessment: bool,

-    pub use_experimental_streamable_shell_tool: bool,
-
    /// If set to `true`, used only the experimental unified exec tool.
    pub use_experimental_unified_exec_tool: bool,

@@ -655,7 +653,6 @@ pub struct ConfigToml {
    /// Legacy, now use features
    pub experimental_instructions_file: Option<PathBuf>,
    pub experimental_compact_prompt_file: Option<PathBuf>,
-    pub experimental_use_exec_command_tool: Option<bool>,
    pub experimental_use_unified_exec_tool: Option<bool>,
    pub experimental_use_rmcp_client: Option<bool>,
    pub experimental_use_freeform_apply_patch: Option<bool>,
@@ -769,6 +766,8 @@ impl ConfigToml {
        let mut forced_auto_mode_downgraded_on_windows = false;
        if cfg!(target_os = "windows")
            && matches!(resolved_sandbox_mode, SandboxMode::WorkspaceWrite)
+            // If the experimental Windows sandbox is enabled, do not force a downgrade.
+            && crate::safety::get_platform_sandbox().is_none()
        {
            sandbox_policy = SandboxPolicy::new_read_only_policy();
            forced_auto_mode_downgraded_on_windows = true;
@@ -900,6 +899,10 @@ impl Config {
        };

        let features = Features::from_config(&cfg, &config_profile, feature_overrides);
+        #[cfg(target_os = "windows")]
+        {
+            crate::safety::set_windows_sandbox_enabled(features.enabled(Feature::WindowsSandbox));
+        }

        let resolved_cwd = {
            use std::env;
@@ -993,7 +996,6 @@ impl Config {

        let include_apply_patch_tool_flag = features.enabled(Feature::ApplyPatchFreeform);
        let tools_web_search_request = features.enabled(Feature::WebSearchRequest);
-        let use_experimental_streamable_shell_tool = features.enabled(Feature::StreamableShell);
        let use_experimental_unified_exec_tool = features.enabled(Feature::UnifiedExec);
        let use_experimental_use_rmcp_client = features.enabled(Feature::RmcpClient);
        let experimental_sandbox_command_assessment =
@@ -1150,7 +1152,6 @@ impl Config {
            include_apply_patch_tool: include_apply_patch_tool_flag,
            tools_web_search_request,
            experimental_sandbox_command_assessment,
-            use_experimental_streamable_shell_tool,
            use_experimental_unified_exec_tool,
            use_experimental_use_rmcp_client,
            features,
@@ -1709,7 +1710,6 @@ trust_level = "trusted"
    fn legacy_toggles_map_to_features() -> std::io::Result<()> {
        let codex_home = TempDir::new()?;
        let cfg = ConfigToml {
-            experimental_use_exec_command_tool: Some(true),
            experimental_use_unified_exec_tool: Some(true),
            experimental_use_rmcp_client: Some(true),
            experimental_use_freeform_apply_patch: Some(true),
@@ -1723,12 +1723,11 @@ trust_level = "trusted"
        )?;

        assert!(config.features.enabled(Feature::ApplyPatchFreeform));
-        assert!(config.features.enabled(Feature::StreamableShell));
        assert!(config.features.enabled(Feature::UnifiedExec));
        assert!(config.features.enabled(Feature::RmcpClient));

        assert!(config.include_apply_patch_tool);
-        assert!(config.use_experimental_streamable_shell_tool);
+
        assert!(config.use_experimental_unified_exec_tool);
        assert!(config.use_experimental_use_rmcp_client);

@@ -2896,7 +2895,6 @@ model_verbosity = "high"
                include_apply_patch_tool: false,
                tools_web_search_request: false,
                experimental_sandbox_command_assessment: false,
-                use_experimental_streamable_shell_tool: false,
                use_experimental_unified_exec_tool: false,
                use_experimental_use_rmcp_client: false,
                features: Features::with_defaults(),
@@ -2968,7 +2966,6 @@ model_verbosity = "high"
            include_apply_patch_tool: false,
            tools_web_search_request: false,
            experimental_sandbox_command_assessment: false,
-            use_experimental_streamable_shell_tool: false,
            use_experimental_unified_exec_tool: false,
            use_experimental_use_rmcp_client: false,
            features: Features::with_defaults(),
@@ -3055,7 +3052,6 @@ model_verbosity = "high"
            include_apply_patch_tool: false,
            tools_web_search_request: false,
            experimental_sandbox_command_assessment: false,
-            use_experimental_streamable_shell_tool: false,
            use_experimental_unified_exec_tool: false,
            use_experimental_use_rmcp_client: false,
            features: Features::with_defaults(),
@@ -3128,7 +3124,6 @@ model_verbosity = "high"
            include_apply_patch_tool: false,
            tools_web_search_request: false,
            experimental_sandbox_command_assessment: false,
-            use_experimental_streamable_shell_tool: false,
            use_experimental_unified_exec_tool: false,
            use_experimental_use_rmcp_client: false,
            features: Features::with_defaults(),
--- a/codex-rs/core/src/config/profile.rs
+++ b/codex-rs/core/src/config/profile.rs
@@ -25,7 +25,6 @@ pub struct ConfigProfile {
    pub experimental_compact_prompt_file: Option<PathBuf>,
    pub include_apply_patch_tool: Option<bool>,
    pub experimental_use_unified_exec_tool: Option<bool>,
-    pub experimental_use_exec_command_tool: Option<bool>,
    pub experimental_use_rmcp_client: Option<bool>,
    pub experimental_use_freeform_apply_patch: Option<bool>,
    pub experimental_sandbox_command_assessment: Option<bool>,
--- a/codex-rs/core/src/config/types.rs
+++ b/codex-rs/core/src/config/types.rs
@@ -358,6 +358,8 @@ pub struct Tui {
 pub struct Notice {
    /// Tracks whether the user has acknowledged the full access warning prompt.
    pub hide_full_access_warning: Option<bool>,
+    /// Tracks whether the user has acknowledged the Windows world-writable directories warning.
+    pub hide_world_writable_warning: Option<bool>,
 }

 impl Notice {
--- a/codex-rs/core/src/context_manager/history.rs
+++ b/codex-rs/core/src/context_manager/history.rs
@@ -0,0 +1,174 @@
+use codex_protocol::models::FunctionCallOutputPayload;
+use codex_protocol::models::ResponseItem;
+use codex_protocol::protocol::TokenUsage;
+use codex_protocol::protocol::TokenUsageInfo;
+use std::ops::Deref;
+
+use crate::context_manager::normalize;
+use crate::context_manager::truncate::format_output_for_model_body;
+use crate::context_manager::truncate::globally_truncate_function_output_items;
+
+/// Transcript of conversation history
+#[derive(Debug, Clone, Default)]
+pub(crate) struct ContextManager {
+    /// The oldest items are at the beginning of the vector.
+    items: Vec<ResponseItem>,
+    token_info: Option<TokenUsageInfo>,
+}
+
+impl ContextManager {
+    pub(crate) fn new() -> Self {
+        Self {
+            items: Vec::new(),
+            token_info: TokenUsageInfo::new_or_append(&None, &None, None),
+        }
+    }
+
+    pub(crate) fn token_info(&self) -> Option<TokenUsageInfo> {
+        self.token_info.clone()
+    }
+
+    pub(crate) fn set_token_usage_full(&mut self, context_window: i64) {
+        match &mut self.token_info {
+            Some(info) => info.fill_to_context_window(context_window),
+            None => {
+                self.token_info = Some(TokenUsageInfo::full_context_window(context_window));
+            }
+        }
+    }
+
+    /// `items` is ordered from oldest to newest.
+    pub(crate) fn record_items<I>(&mut self, items: I)
+    where
+        I: IntoIterator,
+        I::Item: std::ops::Deref<Target = ResponseItem>,
+    {
+        for item in items {
+            let item_ref = item.deref();
+            let is_ghost_snapshot = matches!(item_ref, ResponseItem::GhostSnapshot { .. });
+            if !is_api_message(item_ref) && !is_ghost_snapshot {
+                continue;
+            }
+
+            let processed = Self::process_item(&item);
+            self.items.push(processed);
+        }
+    }
+
+    pub(crate) fn get_history(&mut self) -> Vec<ResponseItem> {
+        self.normalize_history();
+        self.contents()
+    }
+
+    // Returns the history prepared for sending to the model.
+    // With extra response items filtered out and GhostCommits removed.
+    pub(crate) fn get_history_for_prompt(&mut self) -> Vec<ResponseItem> {
+        let mut history = self.get_history();
+        Self::remove_ghost_snapshots(&mut history);
+        history
+    }
+
+    pub(crate) fn remove_first_item(&mut self) {
+        if !self.items.is_empty() {
+            // Remove the oldest item (front of the list). Items are ordered from
+            // oldest → newest, so index 0 is the first entry recorded.
+            let removed = self.items.remove(0);
+            // If the removed item participates in a call/output pair, also remove
+            // its corresponding counterpart to keep the invariants intact without
+            // running a full normalization pass.
+            normalize::remove_corresponding_for(&mut self.items, &removed);
+        }
+    }
+
+    pub(crate) fn replace(&mut self, items: Vec<ResponseItem>) {
+        self.items = items;
+    }
+
+    pub(crate) fn update_token_info(
+        &mut self,
+        usage: &TokenUsage,
+        model_context_window: Option<i64>,
+    ) {
+        self.token_info = TokenUsageInfo::new_or_append(
+            &self.token_info,
+            &Some(usage.clone()),
+            model_context_window,
+        );
+    }
+
+    /// This function enforces a couple of invariants on the in-memory history:
+    /// 1. every call (function/custom) has a corresponding output entry
+    /// 2. every output has a corresponding call entry
+    fn normalize_history(&mut self) {
+        // all function/tool calls must have a corresponding output
+        normalize::ensure_call_outputs_present(&mut self.items);
+
+        // all outputs must have a corresponding function/tool call
+        normalize::remove_orphan_outputs(&mut self.items);
+    }
+
+    /// Returns a clone of the contents in the transcript.
+    fn contents(&self) -> Vec<ResponseItem> {
+        self.items.clone()
+    }
+
+    fn remove_ghost_snapshots(items: &mut Vec<ResponseItem>) {
+        items.retain(|item| !matches!(item, ResponseItem::GhostSnapshot { .. }));
+    }
+
+    fn process_item(item: &ResponseItem) -> ResponseItem {
+        match item {
+            ResponseItem::FunctionCallOutput { call_id, output } => {
+                let truncated = format_output_for_model_body(output.content.as_str());
+                let truncated_items = output
+                    .content_items
+                    .as_ref()
+                    .map(|items| globally_truncate_function_output_items(items));
+                ResponseItem::FunctionCallOutput {
+                    call_id: call_id.clone(),
+                    output: FunctionCallOutputPayload {
+                        content: truncated,
+                        content_items: truncated_items,
+                        success: output.success,
+                    },
+                }
+            }
+            ResponseItem::CustomToolCallOutput { call_id, output } => {
+                let truncated = format_output_for_model_body(output);
+                ResponseItem::CustomToolCallOutput {
+                    call_id: call_id.clone(),
+                    output: truncated,
+                }
+            }
+            ResponseItem::Message { .. }
+            | ResponseItem::Reasoning { .. }
+            | ResponseItem::LocalShellCall { .. }
+            | ResponseItem::FunctionCall { .. }
+            | ResponseItem::WebSearchCall { .. }
+            | ResponseItem::CustomToolCall { .. }
+            | ResponseItem::GhostSnapshot { .. }
+            | ResponseItem::Other => item.clone(),
+        }
+    }
+}
+
+/// API messages include every non-system item (user/assistant messages, reasoning,
+/// tool calls, tool outputs, shell calls, and web-search calls).
+fn is_api_message(message: &ResponseItem) -> bool {
+    match message {
+        ResponseItem::Message { role, .. } => role.as_str() != "system",
+        ResponseItem::FunctionCallOutput { .. }
+        | ResponseItem::FunctionCall { .. }
+        | ResponseItem::CustomToolCall { .. }
+        | ResponseItem::CustomToolCallOutput { .. }
+        | ResponseItem::LocalShellCall { .. }
+        | ResponseItem::Reasoning { .. }
+        | ResponseItem::WebSearchCall { .. } => true,
+        ResponseItem::GhostSnapshot { .. } => false,
+        ResponseItem::Other => false,
+    }
+}
+
+#[cfg(test)]
+#[path = "history_tests.rs"]
+mod tests;
--- a/codex-rs/core/src/context_manager/history_tests.rs
+++ b/codex-rs/core/src/context_manager/history_tests.rs
@@ -0,0 +1,841 @@
+use super::*;
+use crate::context_manager::truncate;
+use codex_git::GhostCommit;
+use codex_protocol::models::ContentItem;
+use codex_protocol::models::FunctionCallOutputContentItem;
+use codex_protocol::models::FunctionCallOutputPayload;
+use codex_protocol::models::LocalShellAction;
+use codex_protocol::models::LocalShellExecAction;
+use codex_protocol::models::LocalShellStatus;
+use codex_protocol::models::ReasoningItemContent;
+use codex_protocol::models::ReasoningItemReasoningSummary;
+use pretty_assertions::assert_eq;
+use regex_lite::Regex;
+
+fn assistant_msg(text: &str) -> ResponseItem {
+    ResponseItem::Message {
+        id: None,
+        role: "assistant".to_string(),
+        content: vec![ContentItem::OutputText {
+            text: text.to_string(),
+        }],
+    }
+}
+
+fn create_history_with_items(items: Vec<ResponseItem>) -> ContextManager {
+    let mut h = ContextManager::new();
+    h.record_items(items.iter());
+    h
+}
+
+fn user_msg(text: &str) -> ResponseItem {
+    ResponseItem::Message {
+        id: None,
+        role: "user".to_string(),
+        content: vec![ContentItem::OutputText {
+            text: text.to_string(),
+        }],
+    }
+}
+
+fn reasoning_msg(text: &str) -> ResponseItem {
+    ResponseItem::Reasoning {
+        id: String::new(),
+        summary: vec![ReasoningItemReasoningSummary::SummaryText {
+            text: "summary".to_string(),
+        }],
+        content: Some(vec![ReasoningItemContent::ReasoningText {
+            text: text.to_string(),
+        }]),
+        encrypted_content: None,
+    }
+}
+
+#[test]
+fn filters_non_api_messages() {
+    let mut h = ContextManager::default();
+    // System message is not API messages; Other is ignored.
+    let system = ResponseItem::Message {
+        id: None,
+        role: "system".to_string(),
+        content: vec![ContentItem::OutputText {
+            text: "ignored".to_string(),
+        }],
+    };
+    let reasoning = reasoning_msg("thinking...");
+    h.record_items([&system, &reasoning, &ResponseItem::Other]);
+
+    // User and assistant should be retained.
+    let u = user_msg("hi");
+    let a = assistant_msg("hello");
+    h.record_items([&u, &a]);
+
+    let items = h.contents();
+    assert_eq!(
+        items,
+        vec![
+            ResponseItem::Reasoning {
+                id: String::new(),
+                summary: vec![ReasoningItemReasoningSummary::SummaryText {
+                    text: "summary".to_string(),
+                }],
+                content: Some(vec![ReasoningItemContent::ReasoningText {
+                    text: "thinking...".to_string(),
+                }]),
+                encrypted_content: None,
+            },
+            ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::OutputText {
+                    text: "hi".to_string()
+                }]
+            },
+            ResponseItem::Message {
+                id: None,
+                role: "assistant".to_string(),
+                content: vec![ContentItem::OutputText {
+                    text: "hello".to_string()
+                }]
+            }
+        ]
+    );
+}
+
+#[test]
+fn get_history_for_prompt_drops_ghost_commits() {
+    let items = vec![ResponseItem::GhostSnapshot {
+        ghost_commit: GhostCommit::new("ghost-1".to_string(), None, Vec::new(), Vec::new()),
+    }];
+    let mut history = create_history_with_items(items);
+    let filtered = history.get_history_for_prompt();
+    assert_eq!(filtered, vec![]);
+}
+
+#[test]
+fn remove_first_item_removes_matching_output_for_function_call() {
+    let items = vec![
+        ResponseItem::FunctionCall {
+            id: None,
+            name: "do_it".to_string(),
+            arguments: "{}".to_string(),
+            call_id: "call-1".to_string(),
+        },
+        ResponseItem::FunctionCallOutput {
+            call_id: "call-1".to_string(),
+            output: FunctionCallOutputPayload {
+                content: "ok".to_string(),
+                ..Default::default()
+            },
+        },
+    ];
+    let mut h = create_history_with_items(items);
+    h.remove_first_item();
+    assert_eq!(h.contents(), vec![]);
+}
+
+#[test]
+fn remove_first_item_removes_matching_call_for_output() {
+    let items = vec![
+        ResponseItem::FunctionCallOutput {
+            call_id: "call-2".to_string(),
+            output: FunctionCallOutputPayload {
+                content: "ok".to_string(),
+                ..Default::default()
+            },
+        },
+        ResponseItem::FunctionCall {
+            id: None,
+            name: "do_it".to_string(),
+            arguments: "{}".to_string(),
+            call_id: "call-2".to_string(),
+        },
+    ];
+    let mut h = create_history_with_items(items);
+    h.remove_first_item();
+    assert_eq!(h.contents(), vec![]);
+}
+
+#[test]
+fn remove_first_item_handles_local_shell_pair() {
+    let items = vec![
+        ResponseItem::LocalShellCall {
+            id: None,
+            call_id: Some("call-3".to_string()),
+            status: LocalShellStatus::Completed,
+            action: LocalShellAction::Exec(LocalShellExecAction {
+                command: vec!["echo".to_string(), "hi".to_string()],
+                timeout_ms: None,
+                working_directory: None,
+                env: None,
+                user: None,
+            }),
+        },
+        ResponseItem::FunctionCallOutput {
+            call_id: "call-3".to_string(),
+            output: FunctionCallOutputPayload {
+                content: "ok".to_string(),
+                ..Default::default()
+            },
+        },
+    ];
+    let mut h = create_history_with_items(items);
+    h.remove_first_item();
+    assert_eq!(h.contents(), vec![]);
+}
+
+#[test]
+fn remove_first_item_handles_custom_tool_pair() {
+    let items = vec![
+        ResponseItem::CustomToolCall {
+            id: None,
+            status: None,
+            call_id: "tool-1".to_string(),
+            name: "my_tool".to_string(),
+            input: "{}".to_string(),
+        },
+        ResponseItem::CustomToolCallOutput {
+            call_id: "tool-1".to_string(),
+            output: "ok".to_string(),
+        },
+    ];
+    let mut h = create_history_with_items(items);
+    h.remove_first_item();
+    assert_eq!(h.contents(), vec![]);
+}
+
+#[test]
+fn normalization_retains_local_shell_outputs() {
+    let items = vec![
+        ResponseItem::LocalShellCall {
+            id: None,
+            call_id: Some("shell-1".to_string()),
+            status: LocalShellStatus::Completed,
+            action: LocalShellAction::Exec(LocalShellExecAction {
+                command: vec!["echo".to_string(), "hi".to_string()],
+                timeout_ms: None,
+                working_directory: None,
+                env: None,
+                user: None,
+            }),
+        },
+        ResponseItem::FunctionCallOutput {
+            call_id: "shell-1".to_string(),
+            output: FunctionCallOutputPayload {
+                content: "ok".to_string(),
+                ..Default::default()
+            },
+        },
+    ];
+
+    let mut history = create_history_with_items(items.clone());
+    let normalized = history.get_history();
+    assert_eq!(normalized, items);
+}
+
+#[test]
+fn record_items_truncates_function_call_output_content() {
+    let mut history = ContextManager::new();
+    let long_line = "a very long line to trigger truncation\n";
+    let long_output = long_line.repeat(2_500);
+    let item = ResponseItem::FunctionCallOutput {
+        call_id: "call-100".to_string(),
+        output: FunctionCallOutputPayload {
+            content: long_output.clone(),
+            success: Some(true),
+            ..Default::default()
+        },
+    };
+
+    history.record_items([&item]);
+
+    assert_eq!(history.items.len(), 1);
+    match &history.items[0] {
+        ResponseItem::FunctionCallOutput { output, .. } => {
+            assert_ne!(output.content, long_output);
+            assert!(
+                output.content.starts_with("Total output lines:"),
+                "expected truncated summary, got {}",
+                output.content
+            );
+        }
+        other => panic!("unexpected history item: {other:?}"),
+    }
+}
+
+#[test]
+fn record_items_truncates_custom_tool_call_output_content() {
+    let mut history = ContextManager::new();
+    let line = "custom output that is very long\n";
+    let long_output = line.repeat(2_500);
+    let item = ResponseItem::CustomToolCallOutput {
+        call_id: "tool-200".to_string(),
+        output: long_output.clone(),
+    };
+
+    history.record_items([&item]);
+
+    assert_eq!(history.items.len(), 1);
+    match &history.items[0] {
+        ResponseItem::CustomToolCallOutput { output, .. } => {
+            assert_ne!(output, &long_output);
+            assert!(
+                output.starts_with("Total output lines:"),
+                "expected truncated summary, got {output}"
+            );
+        }
+        other => panic!("unexpected history item: {other:?}"),
+    }
+}
+
+fn assert_truncated_message_matches(message: &str, line: &str, total_lines: usize) {
+    let pattern = truncated_message_pattern(line, total_lines);
+    let regex = Regex::new(&pattern).unwrap_or_else(|err| {
+        panic!("failed to compile regex {pattern}: {err}");
+    });
+    let captures = regex
+        .captures(message)
+        .unwrap_or_else(|| panic!("message failed to match pattern {pattern}: {message}"));
+    let body = captures
+        .name("body")
+        .expect("missing body capture")
+        .as_str();
+    assert!(
+        body.len() <= truncate::MODEL_FORMAT_MAX_BYTES,
+        "body exceeds byte limit: {} bytes",
+        body.len()
+    );
+}
+
+fn truncated_message_pattern(line: &str, total_lines: usize) -> String {
+    let head_take = truncate::MODEL_FORMAT_HEAD_LINES.min(total_lines);
+    let tail_take = truncate::MODEL_FORMAT_TAIL_LINES.min(total_lines.saturating_sub(head_take));
+    let omitted = total_lines.saturating_sub(head_take + tail_take);
+    let escaped_line = regex_lite::escape(line);
+    if omitted == 0 {
+        return format!(
+            r"(?s)^Total output lines: {total_lines}\n\n(?P<body>{escaped_line}.*\n\[\.{{3}} output truncated to fit {max_bytes} bytes \.{{3}}]\n\n.*)$",
+            max_bytes = truncate::MODEL_FORMAT_MAX_BYTES,
+        );
+    }
+    format!(
+        r"(?s)^Total output lines: {total_lines}\n\n(?P<body>{escaped_line}.*\n\[\.{{3}} omitted {omitted} of {total_lines} lines \.{{3}}]\n\n.*)$",
+    )
+}
+
+#[test]
+fn format_exec_output_truncates_large_error() {
+    let line = "very long execution error line that should trigger truncation\n";
+    let large_error = line.repeat(2_500); // way beyond both byte and line limits
+
+    let truncated = truncate::format_output_for_model_body(&large_error);
+
+    let total_lines = large_error.lines().count();
+    assert_truncated_message_matches(&truncated, line, total_lines);
+    assert_ne!(truncated, large_error);
+}
+
+#[test]
+fn format_exec_output_marks_byte_truncation_without_omitted_lines() {
+    let long_line = "a".repeat(truncate::MODEL_FORMAT_MAX_BYTES + 50);
+    let truncated = truncate::format_output_for_model_body(&long_line);
+
+    assert_ne!(truncated, long_line);
+    let marker_line = format!(
+        "[... output truncated to fit {} bytes ...]",
+        truncate::MODEL_FORMAT_MAX_BYTES
+    );
+    assert!(
+        truncated.contains(&marker_line),
+        "missing byte truncation marker: {truncated}"
+    );
+    assert!(
+        !truncated.contains("omitted"),
+        "line omission marker should not appear when no lines were dropped: {truncated}"
+    );
+}
+
+#[test]
+fn format_exec_output_returns_original_when_within_limits() {
+    let content = "example output\n".repeat(10);
+
+    assert_eq!(truncate::format_output_for_model_body(&content), content);
+}
+
+#[test]
+fn format_exec_output_reports_omitted_lines_and_keeps_head_and_tail() {
+    let total_lines = truncate::MODEL_FORMAT_MAX_LINES + 100;
+    let content: String = (0..total_lines)
+        .map(|idx| format!("line-{idx}\n"))
+        .collect();
+
+    let truncated = truncate::format_output_for_model_body(&content);
+    let omitted = total_lines - truncate::MODEL_FORMAT_MAX_LINES;
+    let expected_marker = format!("[... omitted {omitted} of {total_lines} lines ...]");
+
+    assert!(
+        truncated.contains(&expected_marker),
+        "missing omitted marker: {truncated}"
+    );
+    assert!(
+        truncated.contains("line-0\n"),
+        "expected head line to remain: {truncated}"
+    );
+
+    let last_line = format!("line-{}\n", total_lines - 1);
+    assert!(
+        truncated.contains(&last_line),
+        "expected tail line to remain: {truncated}"
+    );
+}
+
+#[test]
+fn format_exec_output_prefers_line_marker_when_both_limits_exceeded() {
+    let total_lines = truncate::MODEL_FORMAT_MAX_LINES + 42;
+    let long_line = "x".repeat(256);
+    let content: String = (0..total_lines)
+        .map(|idx| format!("line-{idx}-{long_line}\n"))
+        .collect();
+
+    let truncated = truncate::format_output_for_model_body(&content);
+
+    assert!(
+        truncated.contains("[... omitted 42 of 298 lines ...]"),
+        "expected omitted marker when line count exceeds limit: {truncated}"
+    );
+    assert!(
+        !truncated.contains("output truncated to fit"),
+        "line omission marker should take precedence over byte marker: {truncated}"
+    );
+}
+
+#[test]
+fn truncates_across_multiple_under_limit_texts_and_reports_omitted() {
+    // Arrange: several text items, none exceeding per-item limit, but total exceeds budget.
+    let budget = truncate::MODEL_FORMAT_MAX_BYTES;
+    let t1_len = (budget / 2).saturating_sub(10);
+    let t2_len = (budget / 2).saturating_sub(10);
+    let remaining_after_t1_t2 = budget.saturating_sub(t1_len + t2_len);
+    let t3_len = 50; // gets truncated to remaining_after_t1_t2
+    let t4_len = 5; // omitted
+    let t5_len = 7; // omitted
+
+    let t1 = "a".repeat(t1_len);
+    let t2 = "b".repeat(t2_len);
+    let t3 = "c".repeat(t3_len);
+    let t4 = "d".repeat(t4_len);
+    let t5 = "e".repeat(t5_len);
+
+    let item = ResponseItem::FunctionCallOutput {
+        call_id: "call-omit".to_string(),
+        output: FunctionCallOutputPayload {
+            content: "irrelevant".to_string(),
+            content_items: Some(vec![
+                FunctionCallOutputContentItem::InputText { text: t1 },
+                FunctionCallOutputContentItem::InputText { text: t2 },
+                FunctionCallOutputContentItem::InputImage {
+                    image_url: "img:mid".to_string(),
+                },
+                FunctionCallOutputContentItem::InputText { text: t3 },
+                FunctionCallOutputContentItem::InputText { text: t4 },
+                FunctionCallOutputContentItem::InputText { text: t5 },
+            ]),
+            success: Some(true),
+        },
+    };
+
+    let mut history = ContextManager::new();
+    history.record_items([&item]);
+    assert_eq!(history.items.len(), 1);
+    let json = serde_json::to_value(&history.items[0]).expect("serialize to json");
+
+    let output = json
+        .get("output")
+        .expect("output field")
+        .as_array()
+        .expect("array output");
+
+    // Expect: t1 (full), t2 (full), image, t3 (truncated), summary mentioning 2 omitted.
+    assert_eq!(output.len(), 5);
+
+    let first = output[0].as_object().expect("first obj");
+    assert_eq!(first.get("type").unwrap(), "input_text");
+    let first_text = first.get("text").unwrap().as_str().unwrap();
+    assert_eq!(first_text.len(), t1_len);
+
+    let second = output[1].as_object().expect("second obj");
+    assert_eq!(second.get("type").unwrap(), "input_text");
+    let second_text = second.get("text").unwrap().as_str().unwrap();
+    assert_eq!(second_text.len(), t2_len);
+
+    assert_eq!(
+        output[2],
+        serde_json::json!({"type": "input_image", "image_url": "img:mid"})
+    );
+
+    let fourth = output[3].as_object().expect("fourth obj");
+    assert_eq!(fourth.get("type").unwrap(), "input_text");
+    let fourth_text = fourth.get("text").unwrap().as_str().unwrap();
+    assert_eq!(fourth_text.len(), remaining_after_t1_t2);
+
+    let summary = output[4].as_object().expect("summary obj");
+    assert_eq!(summary.get("type").unwrap(), "input_text");
+    let summary_text = summary.get("text").unwrap().as_str().unwrap();
+    assert!(summary_text.contains("omitted 2 text items"));
+}
+
+//TODO(aibrahim): run CI in release mode.
+#[cfg(not(debug_assertions))]
+#[test]
+fn normalize_adds_missing_output_for_function_call() {
+    let items = vec![ResponseItem::FunctionCall {
+        id: None,
+        name: "do_it".to_string(),
+        arguments: "{}".to_string(),
+        call_id: "call-x".to_string(),
+    }];
+    let mut h = create_history_with_items(items);
+
+    h.normalize_history();
+
+    assert_eq!(
+        h.contents(),
+        vec![
+            ResponseItem::FunctionCall {
+                id: None,
+                name: "do_it".to_string(),
+                arguments: "{}".to_string(),
+                call_id: "call-x".to_string(),
+            },
+            ResponseItem::FunctionCallOutput {
+                call_id: "call-x".to_string(),
+                output: FunctionCallOutputPayload {
+                    content: "aborted".to_string(),
+                    ..Default::default()
+                },
+            },
+        ]
+    );
+}
+
+#[cfg(not(debug_assertions))]
+#[test]
+fn normalize_adds_missing_output_for_custom_tool_call() {
+    let items = vec![ResponseItem::CustomToolCall {
+        id: None,
+        status: None,
+        call_id: "tool-x".to_string(),
+        name: "custom".to_string(),
+        input: "{}".to_string(),
+    }];
+    let mut h = create_history_with_items(items);
+
+    h.normalize_history();
+
+    assert_eq!(
+        h.contents(),
+        vec![
+            ResponseItem::CustomToolCall {
+                id: None,
+                status: None,
+                call_id: "tool-x".to_string(),
+                name: "custom".to_string(),
+                input: "{}".to_string(),
+            },
+            ResponseItem::CustomToolCallOutput {
+                call_id: "tool-x".to_string(),
+                output: "aborted".to_string(),
+            },
+        ]
+    );
+}
+
+#[cfg(not(debug_assertions))]
+#[test]
+fn normalize_adds_missing_output_for_local_shell_call_with_id() {
+    let items = vec![ResponseItem::LocalShellCall {
+        id: None,
+        call_id: Some("shell-1".to_string()),
+        status: LocalShellStatus::Completed,
+        action: LocalShellAction::Exec(LocalShellExecAction {
+            command: vec!["echo".to_string(), "hi".to_string()],
+            timeout_ms: None,
+            working_directory: None,
+            env: None,
+            user: None,
+        }),
+    }];
+    let mut h = create_history_with_items(items);
+
+    h.normalize_history();
+
+    assert_eq!(
+        h.contents(),
+        vec![
+            ResponseItem::LocalShellCall {
+                id: None,
+                call_id: Some("shell-1".to_string()),
+                status: LocalShellStatus::Completed,
+                action: LocalShellAction::Exec(LocalShellExecAction {
+                    command: vec!["echo".to_string(), "hi".to_string()],
+                    timeout_ms: None,
+                    working_directory: None,
+                    env: None,
+                    user: None,
+                }),
+            },
+            ResponseItem::FunctionCallOutput {
+                call_id: "shell-1".to_string(),
+                output: FunctionCallOutputPayload {
+                    content: "aborted".to_string(),
+                    ..Default::default()
+                },
+            },
+        ]
+    );
+}
+
+#[cfg(not(debug_assertions))]
+#[test]
+fn normalize_removes_orphan_function_call_output() {
+    let items = vec![ResponseItem::FunctionCallOutput {
+        call_id: "orphan-1".to_string(),
+        output: FunctionCallOutputPayload {
+            content: "ok".to_string(),
+            ..Default::default()
+        },
+    }];
+    let mut h = create_history_with_items(items);
+
+    h.normalize_history();
+
+    assert_eq!(h.contents(), vec![]);
+}
+
+#[cfg(not(debug_assertions))]
+#[test]
+fn normalize_removes_orphan_custom_tool_call_output() {
+    let items = vec![ResponseItem::CustomToolCallOutput {
+        call_id: "orphan-2".to_string(),
+        output: "ok".to_string(),
+    }];
+    let mut h = create_history_with_items(items);
+
+    h.normalize_history();
+
+    assert_eq!(h.contents(), vec![]);
+}
+
+#[cfg(not(debug_assertions))]
+#[test]
+fn normalize_mixed_inserts_and_removals() {
+    let items = vec![
+        // Will get an inserted output
+        ResponseItem::FunctionCall {
+            id: None,
+            name: "f1".to_string(),
+            arguments: "{}".to_string(),
+            call_id: "c1".to_string(),
+        },
+        // Orphan output that should be removed
+        ResponseItem::FunctionCallOutput {
+            call_id: "c2".to_string(),
+            output: FunctionCallOutputPayload {
+                content: "ok".to_string(),
+                ..Default::default()
+            },
+        },
+        // Will get an inserted custom tool output
+        ResponseItem::CustomToolCall {
+            id: None,
+            status: None,
+            call_id: "t1".to_string(),
+            name: "tool".to_string(),
+            input: "{}".to_string(),
+        },
+        // Local shell call also gets an inserted function call output
+        ResponseItem::LocalShellCall {
+            id: None,
+            call_id: Some("s1".to_string()),
+            status: LocalShellStatus::Completed,
+            action: LocalShellAction::Exec(LocalShellExecAction {
+                command: vec!["echo".to_string()],
+                timeout_ms: None,
+                working_directory: None,
+                env: None,
+                user: None,
+            }),
+        },
+    ];
+    let mut h = create_history_with_items(items);
+
+    h.normalize_history();
+
+    assert_eq!(
+        h.contents(),
+        vec![
+            ResponseItem::FunctionCall {
+                id: None,
+                name: "f1".to_string(),
+                arguments: "{}".to_string(),
+                call_id: "c1".to_string(),
+            },
+            ResponseItem::FunctionCallOutput {
+                call_id: "c1".to_string(),
+                output: FunctionCallOutputPayload {
+                    content: "aborted".to_string(),
+                    ..Default::default()
+                },
+            },
+            ResponseItem::CustomToolCall {
+                id: None,
+                status: None,
+                call_id: "t1".to_string(),
+                name: "tool".to_string(),
+                input: "{}".to_string(),
+            },
+            ResponseItem::CustomToolCallOutput {
+                call_id: "t1".to_string(),
+                output: "aborted".to_string(),
+            },
+            ResponseItem::LocalShellCall {
+                id: None,
+                call_id: Some("s1".to_string()),
+                status: LocalShellStatus::Completed,
+                action: LocalShellAction::Exec(LocalShellExecAction {
+                    command: vec!["echo".to_string()],
+                    timeout_ms: None,
+                    working_directory: None,
+                    env: None,
+                    user: None,
+                }),
+            },
+            ResponseItem::FunctionCallOutput {
+                call_id: "s1".to_string(),
+                output: FunctionCallOutputPayload {
+                    content: "aborted".to_string(),
+                    ..Default::default()
+                },
+            },
+        ]
+    );
+}
+
+// In debug builds we panic on normalization errors instead of silently fixing them.
+#[cfg(debug_assertions)]
+#[test]
+#[should_panic]
+fn normalize_adds_missing_output_for_function_call_panics_in_debug() {
+    let items = vec![ResponseItem::FunctionCall {
+        id: None,
+        name: "do_it".to_string(),
+        arguments: "{}".to_string(),
+        call_id: "call-x".to_string(),
+    }];
+    let mut h = create_history_with_items(items);
+    h.normalize_history();
+}
+
+#[cfg(debug_assertions)]
+#[test]
+#[should_panic]
+fn normalize_adds_missing_output_for_custom_tool_call_panics_in_debug() {
+    let items = vec![ResponseItem::CustomToolCall {
+        id: None,
+        status: None,
+        call_id: "tool-x".to_string(),
+        name: "custom".to_string(),
+        input: "{}".to_string(),
+    }];
+    let mut h = create_history_with_items(items);
+    h.normalize_history();
+}
+
+#[cfg(debug_assertions)]
+#[test]
+#[should_panic]
+fn normalize_adds_missing_output_for_local_shell_call_with_id_panics_in_debug() {
+    let items = vec![ResponseItem::LocalShellCall {
+        id: None,
+        call_id: Some("shell-1".to_string()),
+        status: LocalShellStatus::Completed,
+        action: LocalShellAction::Exec(LocalShellExecAction {
+            command: vec!["echo".to_string(), "hi".to_string()],
+            timeout_ms: None,
+            working_directory: None,
+            env: None,
+            user: None,
+        }),
+    }];
+    let mut h = create_history_with_items(items);
+    h.normalize_history();
+}
+
+#[cfg(debug_assertions)]
+#[test]
+#[should_panic]
+fn normalize_removes_orphan_function_call_output_panics_in_debug() {
+    let items = vec![ResponseItem::FunctionCallOutput {
+        call_id: "orphan-1".to_string(),
+        output: FunctionCallOutputPayload {
+            content: "ok".to_string(),
+            ..Default::default()
+        },
+    }];
+    let mut h = create_history_with_items(items);
+    h.normalize_history();
+}
+
+#[cfg(debug_assertions)]
+#[test]
+#[should_panic]
+fn normalize_removes_orphan_custom_tool_call_output_panics_in_debug() {
+    let items = vec![ResponseItem::CustomToolCallOutput {
+        call_id: "orphan-2".to_string(),
+        output: "ok".to_string(),
+    }];
+    let mut h = create_history_with_items(items);
+    h.normalize_history();
+}
+
+#[cfg(debug_assertions)]
+#[test]
+#[should_panic]
+fn normalize_mixed_inserts_and_removals_panics_in_debug() {
+    let items = vec![
+        ResponseItem::FunctionCall {
+            id: None,
+            name: "f1".to_string(),
+            arguments: "{}".to_string(),
+            call_id: "c1".to_string(),
+        },
+        ResponseItem::FunctionCallOutput {
+            call_id: "c2".to_string(),
+            output: FunctionCallOutputPayload {
+                content: "ok".to_string(),
+                ..Default::default()
+            },
+        },
+        ResponseItem::CustomToolCall {
+            id: None,
+            status: None,
+            call_id: "t1".to_string(),
+            name: "tool".to_string(),
+            input: "{}".to_string(),
+        },
+        ResponseItem::LocalShellCall {
+            id: None,
+            call_id: Some("s1".to_string()),
+            status: LocalShellStatus::Completed,
+            action: LocalShellAction::Exec(LocalShellExecAction {
+                command: vec!["echo".to_string()],
+                timeout_ms: None,
+                working_directory: None,
+                env: None,
+                user: None,
+            }),
+        },
+    ];
+    let mut h = create_history_with_items(items);
+    h.normalize_history();
+}
--- a/codex-rs/core/src/context_manager/mod.rs
+++ b/codex-rs/core/src/context_manager/mod.rs
@@ -0,0 +1,6 @@
+mod history;
+mod normalize;
+mod truncate;
+
+pub(crate) use history::ContextManager;
+pub(crate) use truncate::format_output_for_model_body;
--- a/codex-rs/core/src/context_manager/normalize.rs
+++ b/codex-rs/core/src/context_manager/normalize.rs
@@ -0,0 +1,213 @@
+use std::collections::HashSet;
+
+use codex_protocol::models::FunctionCallOutputPayload;
+use codex_protocol::models::ResponseItem;
+
+use crate::util::error_or_panic;
+
+pub(crate) fn ensure_call_outputs_present(items: &mut Vec<ResponseItem>) {
+    // Collect synthetic outputs to insert immediately after their calls.
+    // Store the insertion position (index of call) alongside the item so
+    // we can insert in reverse order and avoid index shifting.
+    let mut missing_outputs_to_insert: Vec<(usize, ResponseItem)> = Vec::new();
+
+    for (idx, item) in items.iter().enumerate() {
+        match item {
+            ResponseItem::FunctionCall { call_id, .. } => {
+                let has_output = items.iter().any(|i| match i {
+                    ResponseItem::FunctionCallOutput {
+                        call_id: existing, ..
+                    } => existing == call_id,
+                    _ => false,
+                });
+
+                if !has_output {
+                    error_or_panic(format!(
+                        "Function call output is missing for call id: {call_id}"
+                    ));
+                    missing_outputs_to_insert.push((
+                        idx,
+                        ResponseItem::FunctionCallOutput {
+                            call_id: call_id.clone(),
+                            output: FunctionCallOutputPayload {
+                                content: "aborted".to_string(),
+                                ..Default::default()
+                            },
+                        },
+                    ));
+                }
+            }
+            ResponseItem::CustomToolCall { call_id, .. } => {
+                let has_output = items.iter().any(|i| match i {
+                    ResponseItem::CustomToolCallOutput {
+                        call_id: existing, ..
+                    } => existing == call_id,
+                    _ => false,
+                });
+
+                if !has_output {
+                    error_or_panic(format!(
+                        "Custom tool call output is missing for call id: {call_id}"
+                    ));
+                    missing_outputs_to_insert.push((
+                        idx,
+                        ResponseItem::CustomToolCallOutput {
+                            call_id: call_id.clone(),
+                            output: "aborted".to_string(),
+                        },
+                    ));
+                }
+            }
+            // LocalShellCall is represented in upstream streams by a FunctionCallOutput
+            ResponseItem::LocalShellCall { call_id, .. } => {
+                if let Some(call_id) = call_id.as_ref() {
+                    let has_output = items.iter().any(|i| match i {
+                        ResponseItem::FunctionCallOutput {
+                            call_id: existing, ..
+                        } => existing == call_id,
+                        _ => false,
+                    });
+
+                    if !has_output {
+                        error_or_panic(format!(
+                            "Local shell call output is missing for call id: {call_id}"
+                        ));
+                        missing_outputs_to_insert.push((
+                            idx,
+                            ResponseItem::FunctionCallOutput {
+                                call_id: call_id.clone(),
+                                output: FunctionCallOutputPayload {
+                                    content: "aborted".to_string(),
+                                    ..Default::default()
+                                },
+                            },
+                        ));
+                    }
+                }
+            }
+            _ => {}
+        }
+    }
+
+    // Insert synthetic outputs in reverse index order to avoid re-indexing.
+    for (idx, output_item) in missing_outputs_to_insert.into_iter().rev() {
+        items.insert(idx + 1, output_item);
+    }
+}
+
+pub(crate) fn remove_orphan_outputs(items: &mut Vec<ResponseItem>) {
+    let function_call_ids: HashSet<String> = items
+        .iter()
+        .filter_map(|i| match i {
+            ResponseItem::FunctionCall { call_id, .. } => Some(call_id.clone()),
+            _ => None,
+        })
+        .collect();
+
+    let local_shell_call_ids: HashSet<String> = items
+        .iter()
+        .filter_map(|i| match i {
+            ResponseItem::LocalShellCall {
+                call_id: Some(call_id),
+                ..
+            } => Some(call_id.clone()),
+            _ => None,
+        })
+        .collect();
+
+    let custom_tool_call_ids: HashSet<String> = items
+        .iter()
+        .filter_map(|i| match i {
+            ResponseItem::CustomToolCall { call_id, .. } => Some(call_id.clone()),
+            _ => None,
+        })
+        .collect();
+
+    items.retain(|item| match item {
+        ResponseItem::FunctionCallOutput { call_id, .. } => {
+            let has_match =
+                function_call_ids.contains(call_id) || local_shell_call_ids.contains(call_id);
+            if !has_match {
+                error_or_panic(format!(
+                    "Orphan function call output for call id: {call_id}"
+                ));
+            }
+            has_match
+        }
+        ResponseItem::CustomToolCallOutput { call_id, .. } => {
+            let has_match = custom_tool_call_ids.contains(call_id);
+            if !has_match {
+                error_or_panic(format!(
+                    "Orphan custom tool call output for call id: {call_id}"
+                ));
+            }
+            has_match
+        }
+        _ => true,
+    });
+}
+
+pub(crate) fn remove_corresponding_for(items: &mut Vec<ResponseItem>, item: &ResponseItem) {
+    match item {
+        ResponseItem::FunctionCall { call_id, .. } => {
+            remove_first_matching(items, |i| {
+                matches!(
+                    i,
+                    ResponseItem::FunctionCallOutput {
+                        call_id: existing, ..
+                    } if existing == call_id
+                )
+            });
+        }
+        ResponseItem::FunctionCallOutput { call_id, .. } => {
+            if let Some(pos) = items.iter().position(|i| {
+                matches!(i, ResponseItem::FunctionCall { call_id: existing, .. } if existing == call_id)
+            }) {
+                items.remove(pos);
+            } else if let Some(pos) = items.iter().position(|i| {
+                matches!(i, ResponseItem::LocalShellCall { call_id: Some(existing), .. } if existing == call_id)
+            }) {
+                items.remove(pos);
+            }
+        }
+        ResponseItem::CustomToolCall { call_id, .. } => {
+            remove_first_matching(items, |i| {
+                matches!(
+                    i,
+                    ResponseItem::CustomToolCallOutput {
+                        call_id: existing, ..
+                    } if existing == call_id
+                )
+            });
+        }
+        ResponseItem::CustomToolCallOutput { call_id, .. } => {
+            remove_first_matching(
+                items,
+                |i| matches!(i, ResponseItem::CustomToolCall { call_id: existing, .. } if existing == call_id),
+            );
+        }
+        ResponseItem::LocalShellCall {
+            call_id: Some(call_id),
+            ..
+        } => {
+            remove_first_matching(items, |i| {
+                matches!(
+                    i,
+                    ResponseItem::FunctionCallOutput {
+                        call_id: existing, ..
+                    } if existing == call_id
+                )
+            });
+        }
+        _ => {}
+    }
+}
+
+fn remove_first_matching<F>(items: &mut Vec<ResponseItem>, predicate: F)
+where
+    F: Fn(&ResponseItem) -> bool,
+{
+    if let Some(pos) = items.iter().position(predicate) {
+        items.remove(pos);
+    }
+}
--- a/codex-rs/core/src/context_manager/truncate.rs
+++ b/codex-rs/core/src/context_manager/truncate.rs
@@ -0,0 +1,128 @@
+use codex_protocol::models::FunctionCallOutputContentItem;
+use codex_utils_string::take_bytes_at_char_boundary;
+use codex_utils_string::take_last_bytes_at_char_boundary;
+
+// Model-formatting limits: clients get full streams; only content sent to the model is truncated.
+pub(crate) const MODEL_FORMAT_MAX_BYTES: usize = 10 * 1024; // 10 KiB
+pub(crate) const MODEL_FORMAT_MAX_LINES: usize = 256; // lines
+pub(crate) const MODEL_FORMAT_HEAD_LINES: usize = MODEL_FORMAT_MAX_LINES / 2;
+pub(crate) const MODEL_FORMAT_TAIL_LINES: usize = MODEL_FORMAT_MAX_LINES - MODEL_FORMAT_HEAD_LINES; // 128
+pub(crate) const MODEL_FORMAT_HEAD_BYTES: usize = MODEL_FORMAT_MAX_BYTES / 2;
+
+pub(crate) fn globally_truncate_function_output_items(
+    items: &[FunctionCallOutputContentItem],
+) -> Vec<FunctionCallOutputContentItem> {
+    let mut out: Vec<FunctionCallOutputContentItem> = Vec::with_capacity(items.len());
+    let mut remaining = MODEL_FORMAT_MAX_BYTES;
+    let mut omitted_text_items = 0usize;
+
+    for it in items {
+        match it {
+            FunctionCallOutputContentItem::InputText { text } => {
+                if remaining == 0 {
+                    omitted_text_items += 1;
+                    continue;
+                }
+
+                let len = text.len();
+                if len <= remaining {
+                    out.push(FunctionCallOutputContentItem::InputText { text: text.clone() });
+                    remaining -= len;
+                } else {
+                    let slice = take_bytes_at_char_boundary(text, remaining);
+                    if !slice.is_empty() {
+                        out.push(FunctionCallOutputContentItem::InputText {
+                            text: slice.to_string(),
+                        });
+                    }
+                    remaining = 0;
+                }
+            }
+            // todo(aibrahim): handle input images; resize
+            FunctionCallOutputContentItem::InputImage { image_url } => {
+                out.push(FunctionCallOutputContentItem::InputImage {
+                    image_url: image_url.clone(),
+                });
+            }
+        }
+    }
+
+    if omitted_text_items > 0 {
+        out.push(FunctionCallOutputContentItem::InputText {
+            text: format!("[omitted {omitted_text_items} text items ...]"),
+        });
+    }
+
+    out
+}
+
+pub(crate) fn format_output_for_model_body(content: &str) -> String {
+    // Head+tail truncation for the model: show the beginning and end with an elision.
+    // Clients still receive full streams; only this formatted summary is capped.
+    let total_lines = content.lines().count();
+    if content.len() <= MODEL_FORMAT_MAX_BYTES && total_lines <= MODEL_FORMAT_MAX_LINES {
+        return content.to_string();
+    }
+    let output = truncate_formatted_exec_output(content, total_lines);
+    format!("Total output lines: {total_lines}\n\n{output}")
+}
+
+fn truncate_formatted_exec_output(content: &str, total_lines: usize) -> String {
+    let segments: Vec<&str> = content.split_inclusive('\n').collect();
+    let head_take = MODEL_FORMAT_HEAD_LINES.min(segments.len());
+    let tail_take = MODEL_FORMAT_TAIL_LINES.min(segments.len().saturating_sub(head_take));
+    let omitted = segments.len().saturating_sub(head_take + tail_take);
+
+    let head_slice_end: usize = segments
+        .iter()
+        .take(head_take)
+        .map(|segment| segment.len())
+        .sum();
+    let tail_slice_start: usize = if tail_take == 0 {
+        content.len()
+    } else {
+        content.len()
+            - segments
+                .iter()
+                .rev()
+                .take(tail_take)
+                .map(|segment| segment.len())
+                .sum::<usize>()
+    };
+    let head_slice = &content[..head_slice_end];
+    let tail_slice = &content[tail_slice_start..];
+    let truncated_by_bytes = content.len() > MODEL_FORMAT_MAX_BYTES;
+    // this is a bit wrong. We are counting metadata lines and not just shell output lines.
+    let marker = if omitted > 0 {
+        Some(format!(
+            "\n[... omitted {omitted} of {total_lines} lines ...]\n\n"
+        ))
+    } else if truncated_by_bytes {
+        Some(format!(
+            "\n[... output truncated to fit {MODEL_FORMAT_MAX_BYTES} bytes ...]\n\n"
+        ))
+    } else {
+        None
+    };
+
+    let marker_len = marker.as_ref().map_or(0, String::len);
+    let base_head_budget = MODEL_FORMAT_HEAD_BYTES.min(MODEL_FORMAT_MAX_BYTES);
+    let head_budget = base_head_budget.min(MODEL_FORMAT_MAX_BYTES.saturating_sub(marker_len));
+    let head_part = take_bytes_at_char_boundary(head_slice, head_budget);
+    let mut result = String::with_capacity(MODEL_FORMAT_MAX_BYTES.min(content.len()));
+
+    result.push_str(head_part);
+    if let Some(marker_text) = marker.as_ref() {
+        result.push_str(marker_text);
+    }
+
+    let remaining = MODEL_FORMAT_MAX_BYTES.saturating_sub(result.len());
+    if remaining == 0 {
+        return result;
+    }
+
+    let tail_part = take_last_bytes_at_char_boundary(tail_slice, remaining);
+    result.push_str(tail_part);
+
+    result
+}
--- a/codex-rs/core/src/conversation_history.rs
+++ b/codex-rs/core/src/conversation_history.rs
--- a/codex-rs/core/src/custom_prompts.rs
+++ b/codex-rs/core/src/custom_prompts.rs
@@ -32,12 +32,11 @@ pub async fn discover_prompts_in_excluding(

    while let Ok(Some(entry)) = entries.next_entry().await {
        let path = entry.path();
-        let is_file = entry
-            .file_type()
+        let is_file_like = fs::metadata(&path)
            .await
-            .map(|ft| ft.is_file())
+            .map(|m| m.is_file())
            .unwrap_or(false);
-        if !is_file {
+        if !is_file_like {
            continue;
        }
        // Only include Markdown files with a .md extension.
@@ -197,6 +196,25 @@ mod tests {
        assert_eq!(names, vec!["good"]);
    }

+    #[tokio::test]
+    #[cfg(unix)]
+    async fn discovers_symlinked_md_files() {
+        let tmp = tempdir().expect("create TempDir");
+        let dir = tmp.path();
+
+        // Create a real file
+        fs::write(dir.join("real.md"), b"real content").unwrap();
+
+        // Create a symlink to the real file
+        std::os::unix::fs::symlink(dir.join("real.md"), dir.join("link.md")).unwrap();
+
+        let found = discover_prompts_in(dir).await;
+        let names: Vec<String> = found.into_iter().map(|e| e.name).collect();
+
+        // Both real and link should be discovered, sorted alphabetically
+        assert_eq!(names, vec!["link", "real"]);
+    }
+
    #[tokio::test]
    async fn parses_frontmatter_and_strips_from_body() {
        let tmp = tempdir().expect("create TempDir");
--- a/codex-rs/core/src/environment_context.rs
+++ b/codex-rs/core/src/environment_context.rs
@@ -24,7 +24,6 @@ pub enum NetworkAccess {
 #[serde(rename = "environment_context", rename_all = "snake_case")]
 pub(crate) struct EnvironmentContext {
    pub cwd: Option<PathBuf>,
-    pub local_date: Option<String>,
    pub approval_policy: Option<AskForApproval>,
    pub sandbox_mode: Option<SandboxMode>,
    pub network_access: Option<NetworkAccess>,
@@ -35,14 +34,12 @@ pub(crate) struct EnvironmentContext {
 impl EnvironmentContext {
    pub fn new(
        cwd: Option<PathBuf>,
-        local_date: Option<String>,
        approval_policy: Option<AskForApproval>,
        sandbox_policy: Option<SandboxPolicy>,
        shell: Option<Shell>,
    ) -> Self {
        Self {
            cwd,
-            local_date,
            approval_policy,
            sandbox_mode: match sandbox_policy {
                Some(SandboxPolicy::DangerFullAccess) => Some(SandboxMode::DangerFullAccess),
@@ -82,7 +79,6 @@ impl EnvironmentContext {
    pub fn equals_except_shell(&self, other: &EnvironmentContext) -> bool {
        let EnvironmentContext {
            cwd,
-            local_date,
            approval_policy,
            sandbox_mode,
            network_access,
@@ -92,7 +88,6 @@ impl EnvironmentContext {
        } = other;

        self.cwd == *cwd
-            && self.local_date == *local_date
            && self.approval_policy == *approval_policy
            && self.sandbox_mode == *sandbox_mode
            && self.network_access == *network_access
@@ -105,11 +100,6 @@ impl EnvironmentContext {
        } else {
            None
        };
-        let local_date = if before.local_date_with_timezone != after.local_date_with_timezone {
-            after.local_date_with_timezone.clone()
-        } else {
-            None
-        };
        let approval_policy = if before.approval_policy != after.approval_policy {
            Some(after.approval_policy)
        } else {
@@ -120,7 +110,7 @@ impl EnvironmentContext {
        } else {
            None
        };
-        EnvironmentContext::new(cwd, local_date, approval_policy, sandbox_policy, None)
+        EnvironmentContext::new(cwd, approval_policy, sandbox_policy, None)
    }
 }

@@ -128,7 +118,6 @@ impl From<&TurnContext> for EnvironmentContext {
    fn from(turn_context: &TurnContext) -> Self {
        Self::new(
            Some(turn_context.cwd.clone()),
-            turn_context.local_date_with_timezone.clone(),
            Some(turn_context.approval_policy),
            Some(turn_context.sandbox_policy.clone()),
            // Shell is not configurable from turn to turn
@@ -145,7 +134,6 @@ impl EnvironmentContext {
    /// ```xml
    /// <environment_context>
    ///   <cwd>...</cwd>
-    ///   <local_date>...</local_date>
    ///   <approval_policy>...</approval_policy>
    ///   <sandbox_mode>...</sandbox_mode>
    ///   <writable_roots>...</writable_roots>
@@ -158,9 +146,6 @@ impl EnvironmentContext {
        if let Some(cwd) = self.cwd {
            lines.push(format!("  <cwd>{}</cwd>", cwd.to_string_lossy()));
        }
-        if let Some(local_date) = self.local_date {
-            lines.push(format!("  <local_date>{local_date}</local_date>"));
-        }
        if let Some(approval_policy) = self.approval_policy {
            lines.push(format!(
                "  <approval_policy>{approval_policy}</approval_policy>"
@@ -227,7 +212,6 @@ mod tests {
    fn serialize_workspace_write_environment_context() {
        let context = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo", "/tmp"], false)),
            None,
@@ -235,7 +219,6 @@ mod tests {

        let expected = r#"<environment_context>
  <cwd>/repo</cwd>
-  <local_date>2025-01-01 +00:00</local_date>
  <approval_policy>on-request</approval_policy>
  <sandbox_mode>workspace-write</sandbox_mode>
  <network_access>restricted</network_access>
@@ -252,14 +235,12 @@ mod tests {
    fn serialize_read_only_environment_context() {
        let context = EnvironmentContext::new(
            None,
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::Never),
            Some(SandboxPolicy::ReadOnly),
            None,
        );

        let expected = r#"<environment_context>
-  <local_date>2025-01-01 +00:00</local_date>
  <approval_policy>never</approval_policy>
  <sandbox_mode>read-only</sandbox_mode>
  <network_access>restricted</network_access>
@@ -272,14 +253,12 @@ mod tests {
    fn serialize_full_access_environment_context() {
        let context = EnvironmentContext::new(
            None,
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::OnFailure),
            Some(SandboxPolicy::DangerFullAccess),
            None,
        );

        let expected = r#"<environment_context>
-  <local_date>2025-01-01 +00:00</local_date>
  <approval_policy>on-failure</approval_policy>
  <sandbox_mode>danger-full-access</sandbox_mode>
  <network_access>enabled</network_access>
@@ -293,14 +272,12 @@ mod tests {
        // Approval policy
        let context1 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo"], false)),
            None,
        );
        let context2 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::Never),
            Some(workspace_write_policy(vec!["/repo"], true)),
            None,
@@ -312,14 +289,12 @@ mod tests {
    fn equals_except_shell_compares_sandbox_policy() {
        let context1 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::OnRequest),
            Some(SandboxPolicy::new_read_only_policy()),
            None,
        );
        let context2 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::OnRequest),
            Some(SandboxPolicy::new_workspace_write_policy()),
            None,
@@ -332,14 +307,12 @@ mod tests {
    fn equals_except_shell_compares_workspace_write_policy() {
        let context1 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo", "/tmp", "/var"], false)),
            None,
        );
        let context2 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo", "/tmp"], true)),
            None,
@@ -352,7 +325,6 @@ mod tests {
    fn equals_except_shell_ignores_shell() {
        let context1 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo"], false)),
            Some(Shell::Bash(BashShell {
@@ -362,7 +334,6 @@ mod tests {
        );
        let context2 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
-            Some("2025-01-01 +00:00".to_string()),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo"], false)),
            Some(Shell::Zsh(ZshShell {
--- a/codex-rs/core/src/error.rs
+++ b/codex-rs/core/src/error.rs
@@ -4,6 +4,8 @@ use crate::token_data::KnownPlan;
 use crate::token_data::PlanType;
 use crate::truncate::truncate_middle;
 use chrono::DateTime;
+use chrono::Datelike;
+use chrono::Local;
 use chrono::Utc;
 use codex_async_utils::CancelErr;
 use codex_protocol::ConversationId;
@@ -107,6 +109,9 @@ pub enum CodexErr {
    #[error("{0}")]
    ConnectionFailed(ConnectionFailedError),

+    #[error("Quota exceeded. Check your plan and billing details.")]
+    QuotaExceeded,
+
    #[error(
        "To use Codex with your ChatGPT plan, upgrade to Plus: https://openai.com/chatgpt/pricing."
    )]
@@ -133,6 +138,9 @@ pub enum CodexErr {
    #[error("unsupported operation: {0}")]
    UnsupportedOperation(String),

+    #[error("{0}")]
+    RefreshTokenFailed(RefreshTokenFailedError),
+
    #[error("Fatal error: {0}")]
    Fatal(String),

@@ -199,6 +207,30 @@ impl std::fmt::Display for ResponseStreamFailed {
    }
 }

+#[derive(Debug, Clone, PartialEq, Eq, Error)]
+#[error("{message}")]
+pub struct RefreshTokenFailedError {
+    pub reason: RefreshTokenFailedReason,
+    pub message: String,
+}
+
+impl RefreshTokenFailedError {
+    pub fn new(reason: RefreshTokenFailedReason, message: impl Into<String>) -> Self {
+        Self {
+            reason,
+            message: message.into(),
+        }
+    }
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum RefreshTokenFailedReason {
+    Expired,
+    Exhausted,
+    Revoked,
+    Other,
+}
+
 #[derive(Debug)]
 pub struct UnexpectedResponseError {
    pub status: StatusCode,
@@ -206,18 +238,44 @@ pub struct UnexpectedResponseError {
    pub request_id: Option<String>,
 }

+const CLOUDFLARE_BLOCKED_MESSAGE: &str =
+    "Access blocked by Cloudflare. This usually happens when connecting from a restricted region";
+
+impl UnexpectedResponseError {
+    fn friendly_message(&self) -> Option<String> {
+        if self.status != StatusCode::FORBIDDEN {
+            return None;
+        }
+
+        if !self.body.contains("Cloudflare") || !self.body.contains("blocked") {
+            return None;
+        }
+
+        let mut message = format!("{CLOUDFLARE_BLOCKED_MESSAGE} (status {})", self.status);
+        if let Some(id) = &self.request_id {
+            message.push_str(&format!(", request id: {id}"));
+        }
+
+        Some(message)
+    }
+}
+
 impl std::fmt::Display for UnexpectedResponseError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(
-            f,
-            "unexpected status {}: {}{}",
-            self.status,
-            self.body,
-            self.request_id
-                .as_ref()
-                .map(|id| format!(", request id: {id}"))
-                .unwrap_or_default()
-        )
+        if let Some(friendly) = self.friendly_message() {
+            write!(f, "{friendly}")
+        } else {
+            write!(
+                f,
+                "unexpected status {}: {}{}",
+                self.status,
+                self.body,
+                self.request_id
+                    .as_ref()
+                    .map(|id| format!(", request id: {id}"))
+                    .unwrap_or_default()
+            )
+        }
    }
 }

@@ -253,7 +311,7 @@ impl std::fmt::Display for UsageLimitReachedError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let message = match self.plan_type.as_ref() {
            Some(PlanType::Known(KnownPlan::Plus)) => format!(
-                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit chatgpt.com/codex/settings/usage to purchase more credits{}",
+                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit https://chatgpt.com/codex/settings/usage to purchase more credits{}",
                retry_suffix_after_or(self.resets_at.as_ref())
            ),
            Some(PlanType::Known(KnownPlan::Team)) | Some(PlanType::Known(KnownPlan::Business)) => {
@@ -267,7 +325,7 @@ impl std::fmt::Display for UsageLimitReachedError {
                    .to_string()
            }
            Some(PlanType::Known(KnownPlan::Pro)) => format!(
-                "You've hit your usage limit. Visit chatgpt.com/codex/settings/usage to purchase more credits{}",
+                "You've hit your usage limit. Visit https://chatgpt.com/codex/settings/usage to purchase more credits{}",
                retry_suffix_after_or(self.resets_at.as_ref())
            ),
            Some(PlanType::Known(KnownPlan::Enterprise))
@@ -286,28 +344,46 @@ impl std::fmt::Display for UsageLimitReachedError {
 }

 fn retry_suffix(resets_at: Option<&DateTime<Utc>>) -> String {
-    if let Some(secs) = remaining_seconds(resets_at) {
-        let reset_duration = format_reset_duration(secs);
-        format!(" Try again in {reset_duration}.")
+    if let Some(resets_at) = resets_at {
+        let formatted = format_retry_timestamp(resets_at);
+        format!(" Try again at {formatted}.")
    } else {
        " Try again later.".to_string()
    }
 }

 fn retry_suffix_after_or(resets_at: Option<&DateTime<Utc>>) -> String {
-    if let Some(secs) = remaining_seconds(resets_at) {
-        let reset_duration = format_reset_duration(secs);
-        format!(" or try again in {reset_duration}.")
+    if let Some(resets_at) = resets_at {
+        let formatted = format_retry_timestamp(resets_at);
+        format!(" or try again at {formatted}.")
    } else {
        " or try again later.".to_string()
    }
 }

-fn remaining_seconds(resets_at: Option<&DateTime<Utc>>) -> Option<u64> {
-    let resets_at = resets_at.cloned()?;
-    let now = now_for_retry();
-    let secs = resets_at.signed_duration_since(now).num_seconds();
-    Some(if secs <= 0 { 0 } else { secs as u64 })
+fn format_retry_timestamp(resets_at: &DateTime<Utc>) -> String {
+    let local_reset = resets_at.with_timezone(&Local);
+    let local_now = now_for_retry().with_timezone(&Local);
+    if local_reset.date_naive() == local_now.date_naive() {
+        local_reset.format("%-I:%M %p").to_string()
+    } else {
+        let suffix = day_suffix(local_reset.day());
+        local_reset
+            .format(&format!("%b %-d{suffix}, %Y %-I:%M %p"))
+            .to_string()
+    }
+}
+
+fn day_suffix(day: u32) -> &'static str {
+    match day {
+        11..=13 => "th",
+        _ => match day % 10 {
+            1 => "st",
+            2 => "nd", // codespell:ignore
+            3 => "rd",
+            _ => "th",
+        },
+    }
 }

 #[cfg(test)]
@@ -326,36 +402,6 @@ fn now_for_retry() -> DateTime<Utc> {
    Utc::now()
 }

-fn format_reset_duration(total_secs: u64) -> String {
-    let days = total_secs / 86_400;
-    let hours = (total_secs % 86_400) / 3_600;
-    let minutes = (total_secs % 3_600) / 60;
-
-    let mut parts: Vec<String> = Vec::new();
-    if days > 0 {
-        let unit = if days == 1 { "day" } else { "days" };
-        parts.push(format!("{days} {unit}"));
-    }
-    if hours > 0 {
-        let unit = if hours == 1 { "hour" } else { "hours" };
-        parts.push(format!("{hours} {unit}"));
-    }
-    if minutes > 0 {
-        let unit = if minutes == 1 { "minute" } else { "minutes" };
-        parts.push(format!("{minutes} {unit}"));
-    }
-
-    if parts.is_empty() {
-        return "less than a minute".to_string();
-    }
-
-    match parts.len() {
-        1 => parts[0].clone(),
-        2 => format!("{} {}", parts[0], parts[1]),
-        _ => format!("{} {} {}", parts[0], parts[1], parts[2]),
-    }
-}
-
 #[derive(Debug)]
 pub struct EnvVarError {
    /// Name of the environment variable that is missing.
@@ -470,7 +516,7 @@ mod tests {
        };
        assert_eq!(
            err.to_string(),
-            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit chatgpt.com/codex/settings/usage to purchase more credits or try again later."
+            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit https://chatgpt.com/codex/settings/usage to purchase more credits or try again later."
        );
    }

@@ -572,15 +618,16 @@ mod tests {
        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
        let resets_at = base + ChronoDuration::hours(1);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: Some(PlanType::Known(KnownPlan::Team)),
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. To get more access now, send a request to your admin or try again in 1 hour."
+            let expected = format!(
+                "You've hit your usage limit. To get more access now, send a request to your admin or try again at {expected_time}."
            );
+            assert_eq!(err.to_string(), expected);
        });
    }

@@ -615,15 +662,16 @@ mod tests {
        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
        let resets_at = base + ChronoDuration::hours(1);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: Some(PlanType::Known(KnownPlan::Pro)),
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. Visit chatgpt.com/codex/settings/usage to purchase more credits or try again in 1 hour."
+            let expected = format!(
+                "You've hit your usage limit. Visit https://chatgpt.com/codex/settings/usage to purchase more credits or try again at {expected_time}."
            );
+            assert_eq!(err.to_string(), expected);
        });
    }

@@ -632,32 +680,61 @@ mod tests {
        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
        let resets_at = base + ChronoDuration::minutes(5);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: None,
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. Try again in 5 minutes."
-            );
+            let expected = format!("You've hit your usage limit. Try again at {expected_time}.");
+            assert_eq!(err.to_string(), expected);
        });
    }

+    #[test]
+    fn unexpected_status_cloudflare_html_is_simplified() {
+        let err = UnexpectedResponseError {
+            status: StatusCode::FORBIDDEN,
+            body: "<html><body>Cloudflare error: Sorry, you have been blocked</body></html>"
+                .to_string(),
+            request_id: Some("ray-id".to_string()),
+        };
+        let status = StatusCode::FORBIDDEN.to_string();
+        assert_eq!(
+            err.to_string(),
+            format!("{CLOUDFLARE_BLOCKED_MESSAGE} (status {status}), request id: ray-id")
+        );
+    }
+
+    #[test]
+    fn unexpected_status_non_html_is_unchanged() {
+        let err = UnexpectedResponseError {
+            status: StatusCode::FORBIDDEN,
+            body: "plain text error".to_string(),
+            request_id: None,
+        };
+        let status = StatusCode::FORBIDDEN.to_string();
+        assert_eq!(
+            err.to_string(),
+            format!("unexpected status {status}: plain text error")
+        );
+    }
+
    #[test]
    fn usage_limit_reached_includes_hours_and_minutes() {
        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
        let resets_at = base + ChronoDuration::hours(3) + ChronoDuration::minutes(32);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: Some(PlanType::Known(KnownPlan::Plus)),
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit chatgpt.com/codex/settings/usage to purchase more credits or try again in 3 hours 32 minutes."
+            let expected = format!(
+                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit https://chatgpt.com/codex/settings/usage to purchase more credits or try again at {expected_time}."
            );
+            assert_eq!(err.to_string(), expected);
        });
    }

@@ -667,15 +744,14 @@ mod tests {
        let resets_at =
            base + ChronoDuration::days(2) + ChronoDuration::hours(3) + ChronoDuration::minutes(5);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: None,
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. Try again in 2 days 3 hours 5 minutes."
-            );
+            let expected = format!("You've hit your usage limit. Try again at {expected_time}.");
+            assert_eq!(err.to_string(), expected);
        });
    }

@@ -684,15 +760,14 @@ mod tests {
        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
        let resets_at = base + ChronoDuration::seconds(30);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: None,
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. Try again in less than a minute."
-            );
+            let expected = format!("You've hit your usage limit. Try again at {expected_time}.");
+            assert_eq!(err.to_string(), expected);
        });
    }
 }
--- a/codex-rs/core/src/event_mapping.rs
+++ b/codex-rs/core/src/event_mapping.rs
@@ -13,13 +13,19 @@ use codex_protocol::user_input::UserInput;
 use tracing::warn;
 use uuid::Uuid;

+use crate::user_instructions::UserInstructions;
+
 fn is_session_prefix(text: &str) -> bool {
    let trimmed = text.trim_start();
    let lowered = trimmed.to_ascii_lowercase();
-    lowered.starts_with("<environment_context>") || lowered.starts_with("<user_instructions>")
+    lowered.starts_with("<environment_context>")
 }

 fn parse_user_message(message: &[ContentItem]) -> Option<UserMessageItem> {
+    if UserInstructions::is_user_instructions(message) {
+        return None;
+    }
+
    let mut content: Vec<UserInput> = Vec::new();

    for content_item in message.iter() {
@@ -167,6 +173,38 @@ mod tests {
        }
    }

+    #[test]
+    fn skips_user_instructions_and_env() {
+        let items = vec![
+            ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText {
+                    text: "<user_instructions>test_text</user_instructions>".to_string(),
+                }],
+            },
+            ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText {
+                    text: "<environment_context>test_text</environment_context>".to_string(),
+                }],
+            },
+            ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText {
+                    text: "# AGENTS.md instructions for test_directory\n\n<INSTRUCTIONS>\ntest_text\n</INSTRUCTIONS>".to_string(),
+                }],
+            },
+        ];
+
+        for item in items {
+            let turn_item = parse_turn_item(&item);
+            assert!(turn_item.is_none(), "expected none, got {turn_item:?}");
+        }
+    }
+
    #[test]
    fn parses_agent_message() {
        let item = ResponseItem::Message {
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -72,6 +72,9 @@ pub enum SandboxType {

    /// Only available on Linux.
    LinuxSeccomp,
+
+    /// Only available on Windows.
+    WindowsRestrictedToken,
 }

 #[derive(Clone)]
@@ -158,11 +161,89 @@ pub(crate) async fn execute_exec_env(
    };

    let start = Instant::now();
-    let raw_output_result = exec(params, sandbox_policy, stdout_stream).await;
+    let raw_output_result = exec(params, sandbox, sandbox_policy, stdout_stream).await;
    let duration = start.elapsed();
    finalize_exec_result(raw_output_result, sandbox, duration)
 }

+#[cfg(target_os = "windows")]
+async fn exec_windows_sandbox(
+    params: ExecParams,
+    sandbox_policy: &SandboxPolicy,
+) -> Result<RawExecToolCallOutput> {
+    use crate::config::find_codex_home;
+    use codex_windows_sandbox::run_windows_sandbox_capture;
+
+    let ExecParams {
+        command,
+        cwd,
+        env,
+        timeout_ms,
+        ..
+    } = params;
+
+    let policy_str = match sandbox_policy {
+        SandboxPolicy::DangerFullAccess => "workspace-write",
+        SandboxPolicy::ReadOnly => "read-only",
+        SandboxPolicy::WorkspaceWrite { .. } => "workspace-write",
+    };
+
+    let sandbox_cwd = cwd.clone();
+    let logs_base_dir = find_codex_home().ok();
+    let spawn_res = tokio::task::spawn_blocking(move || {
+        run_windows_sandbox_capture(
+            policy_str,
+            &sandbox_cwd,
+            command,
+            &cwd,
+            env,
+            timeout_ms,
+            logs_base_dir.as_deref(),
+        )
+    })
+    .await;
+
+    let capture = match spawn_res {
+        Ok(Ok(v)) => v,
+        Ok(Err(err)) => {
+            return Err(CodexErr::Io(io::Error::other(format!(
+                "windows sandbox: {err}"
+            ))));
+        }
+        Err(join_err) => {
+            return Err(CodexErr::Io(io::Error::other(format!(
+                "windows sandbox join error: {join_err}"
+            ))));
+        }
+    };
+
+    let exit_status = synthetic_exit_status(capture.exit_code);
+    let stdout = StreamOutput {
+        text: capture.stdout,
+        truncated_after_lines: None,
+    };
+    let stderr = StreamOutput {
+        text: capture.stderr,
+        truncated_after_lines: None,
+    };
+    // Best-effort aggregate: stdout then stderr
+    let mut aggregated = Vec::with_capacity(stdout.text.len() + stderr.text.len());
+    append_all(&mut aggregated, &stdout.text);
+    append_all(&mut aggregated, &stderr.text);
+    let aggregated_output = StreamOutput {
+        text: aggregated,
+        truncated_after_lines: None,
+    };
+
+    Ok(RawExecToolCallOutput {
+        exit_status,
+        stdout,
+        stderr,
+        aggregated_output,
+        timed_out: capture.timed_out,
+    })
+}
+
 fn finalize_exec_result(
    raw_output_result: std::result::Result<RawExecToolCallOutput, CodexErr>,
    sandbox_type: SandboxType,
@@ -232,6 +313,10 @@ pub(crate) mod errors {
                SandboxTransformError::MissingLinuxSandboxExecutable => {
                    CodexErr::LandlockSandboxExecutableNotProvided
                }
+                #[cfg(not(target_os = "macos"))]
+                SandboxTransformError::SeatbeltUnavailable => CodexErr::UnsupportedOperation(
+                    "seatbelt sandbox is only available on macOS".to_string(),
+                ),
            }
        }
    }
@@ -347,11 +432,17 @@ pub struct ExecToolCallOutput {
    pub timed_out: bool,
 }

+#[cfg_attr(not(target_os = "windows"), allow(unused_variables))]
 async fn exec(
    params: ExecParams,
+    sandbox: SandboxType,
    sandbox_policy: &SandboxPolicy,
    stdout_stream: Option<StdoutStream>,
 ) -> Result<RawExecToolCallOutput> {
+    #[cfg(target_os = "windows")]
+    if sandbox == SandboxType::WindowsRestrictedToken {
+        return exec_windows_sandbox(params, sandbox_policy).await;
+    }
    let timeout = params.timeout_duration();
    let ExecParams {
        command,
@@ -427,6 +518,7 @@ async fn consume_truncated_output(
                }
                Err(_) => {
                    // timeout
+                    kill_child_process_group(&mut child)?;
                    child.start_kill()?;
                    // Debatable whether `child.wait().await` should be called here.
                    (synthetic_exit_status(EXIT_CODE_SIGNAL_BASE + TIMEOUT_CODE), true)
@@ -434,6 +526,7 @@ async fn consume_truncated_output(
            }
        }
        _ = tokio::signal::ctrl_c() => {
+            kill_child_process_group(&mut child)?;
            child.start_kill()?;
            (synthetic_exit_status(EXIT_CODE_SIGNAL_BASE + SIGKILL_CODE), false)
        }
@@ -525,8 +618,41 @@ fn synthetic_exit_status(code: i32) -> ExitStatus {
 #[cfg(windows)]
 fn synthetic_exit_status(code: i32) -> ExitStatus {
    use std::os::windows::process::ExitStatusExt;
-    #[expect(clippy::unwrap_used)]
-    std::process::ExitStatus::from_raw(code.try_into().unwrap())
+    // On Windows the raw status is a u32. Use a direct cast to avoid
+    // panicking on negative i32 values produced by prior narrowing casts.
+    std::process::ExitStatus::from_raw(code as u32)
+}
+
+#[cfg(unix)]
+fn kill_child_process_group(child: &mut Child) -> io::Result<()> {
+    use std::io::ErrorKind;
+
+    if let Some(pid) = child.id() {
+        let pid = pid as libc::pid_t;
+        let pgid = unsafe { libc::getpgid(pid) };
+        if pgid == -1 {
+            let err = std::io::Error::last_os_error();
+            if err.kind() != ErrorKind::NotFound {
+                return Err(err);
+            }
+            return Ok(());
+        }
+
+        let result = unsafe { libc::killpg(pgid, libc::SIGKILL) };
+        if result == -1 {
+            let err = std::io::Error::last_os_error();
+            if err.kind() != ErrorKind::NotFound {
+                return Err(err);
+            }
+        }
+    }
+
+    Ok(())
+}
+
+#[cfg(not(unix))]
+fn kill_child_process_group(_: &mut Child) -> io::Result<()> {
+    Ok(())
 }

 #[cfg(test)]
--- a/codex-rs/core/src/features.rs
+++ b/codex-rs/core/src/features.rs
@@ -29,8 +29,6 @@ pub enum Stage {
 pub enum Feature {
    /// Use the single unified PTY-backed exec tool.
    UnifiedExec,
-    /// Use the streamable exec-command/write-stdin tool pair.
-    StreamableShell,
    /// Enable experimental RMCP features such as OAuth login.
    RmcpClient,
    /// Include the freeform apply_patch tool.
@@ -43,6 +41,8 @@ pub enum Feature {
    SandboxCommandAssessment,
    /// Create a ghost commit at each turn.
    GhostCommit,
+    /// Enable Windows sandbox (restricted token) on Windows.
+    WindowsSandbox,
 }

 impl Feature {
@@ -116,8 +116,9 @@ impl Features {
        self.enabled.contains(&f)
    }

-    pub fn enable(&mut self, f: Feature) {
+    pub fn enable(&mut self, f: Feature) -> &mut Self {
        self.enabled.insert(f);
+        self
    }

    pub fn disable(&mut self, f: Feature) -> &mut Self {
@@ -176,7 +177,6 @@ impl Features {
        let base_legacy = LegacyFeatureToggles {
            experimental_sandbox_command_assessment: cfg.experimental_sandbox_command_assessment,
            experimental_use_freeform_apply_patch: cfg.experimental_use_freeform_apply_patch,
-            experimental_use_exec_command_tool: cfg.experimental_use_exec_command_tool,
            experimental_use_unified_exec_tool: cfg.experimental_use_unified_exec_tool,
            experimental_use_rmcp_client: cfg.experimental_use_rmcp_client,
            tools_web_search: cfg.tools.as_ref().and_then(|t| t.web_search),
@@ -195,7 +195,7 @@ impl Features {
                .experimental_sandbox_command_assessment,
            experimental_use_freeform_apply_patch: config_profile
                .experimental_use_freeform_apply_patch,
-            experimental_use_exec_command_tool: config_profile.experimental_use_exec_command_tool,
+
            experimental_use_unified_exec_tool: config_profile.experimental_use_unified_exec_tool,
            experimental_use_rmcp_client: config_profile.experimental_use_rmcp_client,
            tools_web_search: config_profile.tools_web_search,
@@ -250,12 +250,6 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::Experimental,
        default_enabled: false,
    },
-    FeatureSpec {
-        id: Feature::StreamableShell,
-        key: "streamable_shell",
-        stage: Stage::Experimental,
-        default_enabled: false,
-    },
    FeatureSpec {
        id: Feature::RmcpClient,
        key: "rmcp_client",
@@ -292,4 +286,10 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::Experimental,
        default_enabled: false,
    },
+    FeatureSpec {
+        id: Feature::WindowsSandbox,
+        key: "enable_experimental_windows_sandbox",
+        stage: Stage::Experimental,
+        default_enabled: false,
+    },
 ];
--- a/codex-rs/core/src/features/legacy.rs
+++ b/codex-rs/core/src/features/legacy.rs
@@ -17,10 +17,6 @@ const ALIASES: &[Alias] = &[
        legacy_key: "experimental_use_unified_exec_tool",
        feature: Feature::UnifiedExec,
    },
-    Alias {
-        legacy_key: "experimental_use_exec_command_tool",
-        feature: Feature::StreamableShell,
-    },
    Alias {
        legacy_key: "experimental_use_rmcp_client",
        feature: Feature::RmcpClient,
@@ -54,7 +50,6 @@ pub struct LegacyFeatureToggles {
    pub include_apply_patch_tool: Option<bool>,
    pub experimental_sandbox_command_assessment: Option<bool>,
    pub experimental_use_freeform_apply_patch: Option<bool>,
-    pub experimental_use_exec_command_tool: Option<bool>,
    pub experimental_use_unified_exec_tool: Option<bool>,
    pub experimental_use_rmcp_client: Option<bool>,
    pub tools_web_search: Option<bool>,
@@ -81,12 +76,6 @@ impl LegacyFeatureToggles {
            self.experimental_use_freeform_apply_patch,
            "experimental_use_freeform_apply_patch",
        );
-        set_if_some(
-            features,
-            Feature::StreamableShell,
-            self.experimental_use_exec_command_tool,
-            "experimental_use_exec_command_tool",
-        );
        set_if_some(
            features,
            Feature::UnifiedExec,
@@ -123,7 +112,7 @@ fn set_if_some(
    if let Some(enabled) = maybe_value {
        set_feature(features, feature, enabled);
        log_alias(alias_key, feature);
-        features.record_legacy_usage_force(alias_key, feature);
+        features.record_legacy_usage(alias_key, feature);
    }
 }

--- a/codex-rs/core/src/lib.rs
+++ b/codex-rs/core/src/lib.rs
@@ -18,7 +18,7 @@ mod codex_delegate;
 mod command_safety;
 pub mod config;
 pub mod config_loader;
-mod conversation_history;
+mod context_manager;
 pub mod custom_prompts;
 mod environment_context;
 pub mod error;
@@ -75,6 +75,7 @@ pub use rollout::find_conversation_path_by_id_str;
 pub use rollout::list::ConversationItem;
 pub use rollout::list::ConversationsPage;
 pub use rollout::list::Cursor;
+pub use rollout::list::parse_cursor;
 pub use rollout::list::read_head_for_summary;
 mod function_tool;
 mod state;
@@ -85,6 +86,7 @@ pub mod util;
 pub use apply_patch::CODEX_APPLY_PATCH_ARG1;
 pub use command_safety::is_safe_command;
 pub use safety::get_platform_sandbox;
+pub use safety::set_windows_sandbox_enabled;
 // Re-export the protocol types from the standalone `codex-protocol` crate so existing
 // `codex_core::protocol::...` references continue to work across the workspace.
 pub use codex_protocol::protocol;
--- a/codex-rs/core/src/model_family.rs
+++ b/codex-rs/core/src/model_family.rs
@@ -1,5 +1,6 @@
 use crate::config::types::ReasoningSummaryFormat;
 use crate::tools::handlers::apply_patch::ApplyPatchToolType;
+use crate::tools::spec::ConfigShellToolType;

 /// The `instructions` field in the payload sent to a model should always start
 /// with this content.
@@ -29,12 +30,6 @@ pub struct ModelFamily {
    // Define if we need a special handling of reasoning summary
    pub reasoning_summary_format: ReasoningSummaryFormat,

-    // This should be set to true when the model expects a tool named
-    // "local_shell" to be provided. Its contract must be understood natively by
-    // the model such that its description can be omitted.
-    // See https://platform.openai.com/docs/guides/tools-local-shell
-    pub uses_local_shell_tool: bool,
-
    /// Whether this model supports parallel tool calls when using the
    /// Responses API.
    pub supports_parallel_tool_calls: bool,
@@ -57,6 +52,9 @@ pub struct ModelFamily {

    /// If the model family supports setting the verbosity level when using Responses API.
    pub support_verbosity: bool,
+
+    /// Preferred shell tool type for this model family when features do not override it.
+    pub shell_type: ConfigShellToolType,
 }

 macro_rules! model_family {
@@ -64,19 +62,20 @@ macro_rules! model_family {
        $slug:expr, $family:expr $(, $key:ident : $value:expr )* $(,)?
    ) => {{
        // defaults
+        #[allow(unused_mut)]
        let mut mf = ModelFamily {
            slug: $slug.to_string(),
            family: $family.to_string(),
            needs_special_apply_patch_instructions: false,
            supports_reasoning_summaries: false,
            reasoning_summary_format: ReasoningSummaryFormat::None,
-            uses_local_shell_tool: false,
            supports_parallel_tool_calls: false,
            apply_patch_tool_type: None,
            base_instructions: BASE_INSTRUCTIONS.to_string(),
            experimental_supported_tools: Vec::new(),
            effective_context_window_percent: 95,
            support_verbosity: false,
+            shell_type: ConfigShellToolType::Default,
        };
        // apply overrides
        $(
@@ -105,8 +104,8 @@ pub fn find_family_for_model(slug: &str) -> Option<ModelFamily> {
        model_family!(
            slug, "codex-mini-latest",
            supports_reasoning_summaries: true,
-            uses_local_shell_tool: true,
            needs_special_apply_patch_instructions: true,
+            shell_type: ConfigShellToolType::Local,
        )
    } else if slug.starts_with("gpt-4.1") {
        model_family!(
@@ -119,6 +118,8 @@ pub fn find_family_for_model(slug: &str) -> Option<ModelFamily> {
        model_family!(slug, "gpt-4o", needs_special_apply_patch_instructions: true)
    } else if slug.starts_with("gpt-3.5") {
        model_family!(slug, "gpt-3.5", needs_special_apply_patch_instructions: true)
+    } else if slug.starts_with("porcupine") {
+        model_family!(slug, "porcupine", shell_type: ConfigShellToolType::UnifiedExec)
    } else if slug.starts_with("test-gpt-5-codex") {
        model_family!(
            slug, slug,
@@ -160,7 +161,7 @@ pub fn find_family_for_model(slug: &str) -> Option<ModelFamily> {
            reasoning_summary_format: ReasoningSummaryFormat::Experimental,
            base_instructions: GPT_5_CODEX_INSTRUCTIONS.to_string(),
            apply_patch_tool_type: Some(ApplyPatchToolType::Freeform),
-            support_verbosity: true,
+            support_verbosity: false,
        )
    } else if slug.starts_with("gpt-5") {
        model_family!(
@@ -181,12 +182,12 @@ pub fn derive_default_model_family(model: &str) -> ModelFamily {
        needs_special_apply_patch_instructions: false,
        supports_reasoning_summaries: false,
        reasoning_summary_format: ReasoningSummaryFormat::None,
-        uses_local_shell_tool: false,
        supports_parallel_tool_calls: false,
        apply_patch_tool_type: None,
        base_instructions: BASE_INSTRUCTIONS.to_string(),
        experimental_supported_tools: Vec::new(),
        effective_context_window_percent: 95,
        support_verbosity: false,
+        shell_type: ConfigShellToolType::Default,
    }
 }
--- a/codex-rs/core/src/rollout/list.rs
+++ b/codex-rs/core/src/rollout/list.rs
@@ -273,7 +273,7 @@ async fn traverse_directories_for_paths(
 /// Pagination cursor token format: "<file_ts>|<uuid>" where `file_ts` matches the
 /// filename timestamp portion (YYYY-MM-DDThh-mm-ss) used in rollout filenames.
 /// The cursor orders files by timestamp desc, then UUID desc.
-fn parse_cursor(token: &str) -> Option<Cursor> {
+pub fn parse_cursor(token: &str) -> Option<Cursor> {
    let (file_ts, uuid_str) = token.split_once('|')?;

    let Ok(uuid) = Uuid::parse_str(uuid_str) else {
--- a/codex-rs/core/src/rollout/policy.rs
+++ b/codex-rs/core/src/rollout/policy.rs
@@ -46,6 +46,7 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
        | EventMsg::UndoCompleted(_)
        | EventMsg::TurnAborted(_) => true,
        EventMsg::Error(_)
+        | EventMsg::Warning(_)
        | EventMsg::TaskStarted(_)
        | EventMsg::TaskComplete(_)
        | EventMsg::AgentMessageDelta(_)
--- a/codex-rs/core/src/safety.rs
+++ b/codex-rs/core/src/safety.rs
@@ -10,6 +10,23 @@ use crate::exec::SandboxType;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;

+#[cfg(target_os = "windows")]
+use std::sync::atomic::AtomicBool;
+#[cfg(target_os = "windows")]
+use std::sync::atomic::Ordering;
+
+#[cfg(target_os = "windows")]
+static WINDOWS_SANDBOX_ENABLED: AtomicBool = AtomicBool::new(false);
+
+#[cfg(target_os = "windows")]
+pub fn set_windows_sandbox_enabled(enabled: bool) {
+    WINDOWS_SANDBOX_ENABLED.store(enabled, Ordering::Relaxed);
+}
+
+#[cfg(not(target_os = "windows"))]
+#[allow(dead_code)]
+pub fn set_windows_sandbox_enabled(_enabled: bool) {}
+
 #[derive(Debug, PartialEq)]
 pub enum SafetyCheck {
    AutoApprove {
@@ -84,6 +101,14 @@ pub fn get_platform_sandbox() -> Option<SandboxType> {
        Some(SandboxType::MacosSeatbelt)
    } else if cfg!(target_os = "linux") {
        Some(SandboxType::LinuxSeccomp)
+    } else if cfg!(target_os = "windows") {
+        #[cfg(target_os = "windows")]
+        {
+            if WINDOWS_SANDBOX_ENABLED.load(Ordering::Relaxed) {
+                return Some(SandboxType::WindowsRestrictedToken);
+            }
+        }
+        None
    } else {
        None
    }
--- a/codex-rs/core/src/sandboxing/assessment.rs
+++ b/codex-rs/core/src/sandboxing/assessment.rs
@@ -25,16 +25,6 @@ use tracing::warn;

 const SANDBOX_ASSESSMENT_TIMEOUT: Duration = Duration::from_secs(5);

-const SANDBOX_RISK_CATEGORY_VALUES: &[&str] = &[
-    "data_deletion",
-    "data_exfiltration",
-    "privilege_escalation",
-    "system_modification",
-    "network_access",
-    "resource_exhaustion",
-    "compliance",
-];
-
 #[derive(Template)]
 #[template(path = "sandboxing/assessment_prompt.md", escape = "none")]
 struct SandboxAssessmentPromptTemplate<'a> {
@@ -176,27 +166,26 @@ pub(crate) async fn assess_command(
                    call_id,
                    "success",
                    Some(assessment.risk_level),
-                    &assessment.risk_categories,
                    duration,
                );
                return Some(assessment);
            }
            Err(err) => {
                warn!("failed to parse sandbox assessment JSON: {err}");
-                parent_otel.sandbox_assessment(call_id, "parse_error", None, &[], duration);
+                parent_otel.sandbox_assessment(call_id, "parse_error", None, duration);
            }
        },
        Ok(Ok(None)) => {
            warn!("sandbox assessment response did not include any message");
-            parent_otel.sandbox_assessment(call_id, "no_output", None, &[], duration);
+            parent_otel.sandbox_assessment(call_id, "no_output", None, duration);
        }
        Ok(Err(err)) => {
            warn!("sandbox assessment failed: {err}");
-            parent_otel.sandbox_assessment(call_id, "model_error", None, &[], duration);
+            parent_otel.sandbox_assessment(call_id, "model_error", None, duration);
        }
        Err(_) => {
            warn!("sandbox assessment timed out");
-            parent_otel.sandbox_assessment(call_id, "timeout", None, &[], duration);
+            parent_otel.sandbox_assessment(call_id, "timeout", None, duration);
        }
    }

@@ -229,7 +218,7 @@ fn sandbox_roots_for_prompt(policy: &SandboxPolicy, cwd: &Path) -> Vec<PathBuf>
 fn sandbox_assessment_schema() -> serde_json::Value {
    json!({
        "type": "object",
-        "required": ["description", "risk_level", "risk_categories"],
+        "required": ["description", "risk_level"],
        "properties": {
            "description": {
                "type": "string",
@@ -240,13 +229,6 @@ fn sandbox_assessment_schema() -> serde_json::Value {
                "type": "string",
                "enum": ["low", "medium", "high"]
            },
-            "risk_categories": {
-                "type": "array",
-                "items": {
-                    "type": "string",
-                    "enum": SANDBOX_RISK_CATEGORY_VALUES
-                }
-            }
        },
        "additionalProperties": false
    })
--- a/codex-rs/core/src/sandboxing/mod.rs
+++ b/codex-rs/core/src/sandboxing/mod.rs
@@ -14,8 +14,11 @@ use crate::exec::StdoutStream;
 use crate::exec::execute_exec_env;
 use crate::landlock::create_linux_sandbox_command_args;
 use crate::protocol::SandboxPolicy;
+#[cfg(target_os = "macos")]
 use crate::seatbelt::MACOS_PATH_TO_SEATBELT_EXECUTABLE;
+#[cfg(target_os = "macos")]
 use crate::seatbelt::create_seatbelt_command_args;
+#[cfg(target_os = "macos")]
 use crate::spawn::CODEX_SANDBOX_ENV_VAR;
 use crate::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use crate::tools::sandboxing::SandboxablePreference;
@@ -56,6 +59,9 @@ pub enum SandboxPreference {
 pub(crate) enum SandboxTransformError {
    #[error("missing codex-linux-sandbox executable path")]
    MissingLinuxSandboxExecutable,
+    #[cfg(not(target_os = "macos"))]
+    #[error("seatbelt sandbox is only available on macOS")]
+    SeatbeltUnavailable,
 }

 #[derive(Default)]
@@ -74,25 +80,13 @@ impl SandboxManager {
        match pref {
            SandboxablePreference::Forbid => SandboxType::None,
            SandboxablePreference::Require => {
-                #[cfg(target_os = "macos")]
-                {
-                    return SandboxType::MacosSeatbelt;
-                }
-                #[cfg(target_os = "linux")]
-                {
-                    return SandboxType::LinuxSeccomp;
-                }
-                #[allow(unreachable_code)]
-                SandboxType::None
+                // Require a platform sandbox when available; on Windows this
+                // respects the enable_experimental_windows_sandbox feature.
+                crate::safety::get_platform_sandbox().unwrap_or(SandboxType::None)
            }
            SandboxablePreference::Auto => match policy {
                SandboxPolicy::DangerFullAccess => SandboxType::None,
-                #[cfg(target_os = "macos")]
-                _ => SandboxType::MacosSeatbelt,
-                #[cfg(target_os = "linux")]
-                _ => SandboxType::LinuxSeccomp,
-                #[cfg(not(any(target_os = "macos", target_os = "linux")))]
-                _ => SandboxType::None,
+                _ => crate::safety::get_platform_sandbox().unwrap_or(SandboxType::None),
            },
        }
    }
@@ -119,6 +113,7 @@ impl SandboxManager {

        let (command, sandbox_env, arg0_override) = match sandbox {
            SandboxType::None => (command, HashMap::new(), None),
+            #[cfg(target_os = "macos")]
            SandboxType::MacosSeatbelt => {
                let mut seatbelt_env = HashMap::new();
                seatbelt_env.insert(CODEX_SANDBOX_ENV_VAR.to_string(), "seatbelt".to_string());
@@ -129,6 +124,8 @@ impl SandboxManager {
                full_command.append(&mut args);
                (full_command, seatbelt_env, None)
            }
+            #[cfg(not(target_os = "macos"))]
+            SandboxType::MacosSeatbelt => return Err(SandboxTransformError::SeatbeltUnavailable),
            SandboxType::LinuxSeccomp => {
                let exe = codex_linux_sandbox_exe
                    .ok_or(SandboxTransformError::MissingLinuxSandboxExecutable)?;
@@ -143,6 +140,14 @@ impl SandboxManager {
                    Some("codex-linux-sandbox".to_string()),
                )
            }
+            // On Windows, the restricted token sandbox executes in-process via the
+            // codex-windows-sandbox crate. We leave the command unchanged here and
+            // branch during execution based on the sandbox type.
+            #[cfg(target_os = "windows")]
+            SandboxType::WindowsRestrictedToken => (command, HashMap::new(), None),
+            // When building for non-Windows targets, this variant is never constructed.
+            #[cfg(not(target_os = "windows"))]
+            SandboxType::WindowsRestrictedToken => (command, HashMap::new(), None),
        };

        env.extend(sandbox_env);
--- a/codex-rs/core/src/seatbelt.rs
+++ b/codex-rs/core/src/seatbelt.rs
@@ -1,4 +1,7 @@
+#![cfg(target_os = "macos")]
+
 use std::collections::HashMap;
+use std::ffi::CStr;
 use std::path::Path;
 use std::path::PathBuf;
 use tokio::process::Child;
@@ -9,6 +12,7 @@ use crate::spawn::StdioPolicy;
 use crate::spawn::spawn_child_async;

 const MACOS_SEATBELT_BASE_POLICY: &str = include_str!("seatbelt_base_policy.sbpl");
+const MACOS_SEATBELT_NETWORK_POLICY: &str = include_str!("seatbelt_network_policy.sbpl");

 /// When working with `sandbox-exec`, only consider `sandbox-exec` in `/usr/bin`
 /// to defend against an attacker trying to inject a malicious version on the
@@ -44,27 +48,24 @@ pub(crate) fn create_seatbelt_command_args(
    sandbox_policy: &SandboxPolicy,
    sandbox_policy_cwd: &Path,
 ) -> Vec<String> {
-    let (file_write_policy, extra_cli_args) = {
+    let (file_write_policy, file_write_dir_params) = {
        if sandbox_policy.has_full_disk_write_access() {
            // Allegedly, this is more permissive than `(allow file-write*)`.
            (
                r#"(allow file-write* (regex #"^/"))"#.to_string(),
-                Vec::<String>::new(),
+                Vec::new(),
            )
        } else {
            let writable_roots = sandbox_policy.get_writable_roots_with_cwd(sandbox_policy_cwd);

            let mut writable_folder_policies: Vec<String> = Vec::new();
-            let mut cli_args: Vec<String> = Vec::new();
+            let mut file_write_params = Vec::new();

            for (index, wr) in writable_roots.iter().enumerate() {
                // Canonicalize to avoid mismatches like /var vs /private/var on macOS.
                let canonical_root = wr.root.canonicalize().unwrap_or_else(|_| wr.root.clone());
                let root_param = format!("WRITABLE_ROOT_{index}");
-                cli_args.push(format!(
-                    "-D{root_param}={}",
-                    canonical_root.to_string_lossy()
-                ));
+                file_write_params.push((root_param.clone(), canonical_root));

                if wr.read_only_subpaths.is_empty() {
                    writable_folder_policies.push(format!("(subpath (param \"{root_param}\"))"));
@@ -76,9 +77,9 @@ pub(crate) fn create_seatbelt_command_args(
                    for (subpath_index, ro) in wr.read_only_subpaths.iter().enumerate() {
                        let canonical_ro = ro.canonicalize().unwrap_or_else(|_| ro.clone());
                        let ro_param = format!("WRITABLE_ROOT_{index}_RO_{subpath_index}");
-                        cli_args.push(format!("-D{ro_param}={}", canonical_ro.to_string_lossy()));
                        require_parts
                            .push(format!("(require-not (subpath (param \"{ro_param}\")))"));
+                        file_write_params.push((ro_param, canonical_ro));
                    }
                    let policy_component = format!("(require-all {} )", require_parts.join(" "));
                    writable_folder_policies.push(policy_component);
@@ -86,13 +87,13 @@ pub(crate) fn create_seatbelt_command_args(
            }

            if writable_folder_policies.is_empty() {
-                ("".to_string(), Vec::<String>::new())
+                ("".to_string(), Vec::new())
            } else {
                let file_write_policy = format!(
                    "(allow file-write*\n{}\n)",
                    writable_folder_policies.join(" ")
                );
-                (file_write_policy, cli_args)
+                (file_write_policy, file_write_params)
            }
        }
    };
@@ -105,7 +106,7 @@ pub(crate) fn create_seatbelt_command_args(

    // TODO(mbolin): apply_patch calls must also honor the SandboxPolicy.
    let network_policy = if sandbox_policy.has_full_network_access() {
-        "(allow network-outbound)\n(allow network-inbound)\n(allow system-socket)"
+        MACOS_SEATBELT_NETWORK_POLICY
    } else {
        ""
    };
@@ -114,17 +115,49 @@ pub(crate) fn create_seatbelt_command_args(
        "{MACOS_SEATBELT_BASE_POLICY}\n{file_read_policy}\n{file_write_policy}\n{network_policy}"
    );

+    let dir_params = [file_write_dir_params, macos_dir_params()].concat();
+
    let mut seatbelt_args: Vec<String> = vec!["-p".to_string(), full_policy];
-    seatbelt_args.extend(extra_cli_args);
+    let definition_args = dir_params
+        .into_iter()
+        .map(|(key, value)| format!("-D{key}={value}", value = value.to_string_lossy()));
+    seatbelt_args.extend(definition_args);
    seatbelt_args.push("--".to_string());
    seatbelt_args.extend(command);
    seatbelt_args
 }

+/// Wraps libc::confstr to return a String.
+fn confstr(name: libc::c_int) -> Option<String> {
+    let mut buf = vec![0_i8; (libc::PATH_MAX as usize) + 1];
+    let len = unsafe { libc::confstr(name, buf.as_mut_ptr(), buf.len()) };
+    if len == 0 {
+        return None;
+    }
+    // confstr guarantees NUL-termination when len > 0.
+    let cstr = unsafe { CStr::from_ptr(buf.as_ptr()) };
+    cstr.to_str().ok().map(ToString::to_string)
+}
+
+/// Wraps confstr to return a canonicalized PathBuf.
+fn confstr_path(name: libc::c_int) -> Option<PathBuf> {
+    let s = confstr(name)?;
+    let path = PathBuf::from(s);
+    path.canonicalize().ok().or(Some(path))
+}
+
+fn macos_dir_params() -> Vec<(String, PathBuf)> {
+    if let Some(p) = confstr_path(libc::_CS_DARWIN_USER_CACHE_DIR) {
+        return vec![("DARWIN_USER_CACHE_DIR".to_string(), p)];
+    }
+    vec![]
+}
+
 #[cfg(test)]
 mod tests {
    use super::MACOS_SEATBELT_BASE_POLICY;
    use super::create_seatbelt_command_args;
+    use super::macos_dir_params;
    use crate::protocol::SandboxPolicy;
    use pretty_assertions::assert_eq;
    use std::fs;
@@ -134,11 +167,6 @@ mod tests {

    #[test]
    fn create_seatbelt_args_with_read_only_git_subpath() {
-        if cfg!(target_os = "windows") {
-            // /tmp does not exist on Windows, so skip this test.
-            return;
-        }
-
        // Create a temporary workspace with two writable roots: one containing
        // a top-level .git directory and one without it.
        let tmp = TempDir::new().expect("tempdir");
@@ -199,6 +227,12 @@ mod tests {
            format!("-DWRITABLE_ROOT_2={}", cwd.to_string_lossy()),
        ];

+        expected_args.extend(
+            macos_dir_params()
+                .into_iter()
+                .map(|(key, value)| format!("-D{key}={value}", value = value.to_string_lossy())),
+        );
+
        expected_args.extend(vec![
            "--".to_string(),
            "/bin/echo".to_string(),
@@ -210,11 +244,6 @@ mod tests {

    #[test]
    fn create_seatbelt_args_for_cwd_as_git_repo() {
-        if cfg!(target_os = "windows") {
-            // /tmp does not exist on Windows, so skip this test.
-            return;
-        }
-
        // Create a temporary workspace with two writable roots: one containing
        // a top-level .git directory and one without it.
        let tmp = TempDir::new().expect("tempdir");
@@ -292,6 +321,12 @@ mod tests {
            expected_args.push(format!("-DWRITABLE_ROOT_2={p}"));
        }

+        expected_args.extend(
+            macos_dir_params()
+                .into_iter()
+                .map(|(key, value)| format!("-D{key}={value}", value = value.to_string_lossy())),
+        );
+
        expected_args.extend(vec![
            "--".to_string(),
            "/bin/echo".to_string(),
--- a/codex-rs/core/src/seatbelt_network_policy.sbpl
+++ b/codex-rs/core/src/seatbelt_network_policy.sbpl
@@ -0,0 +1,30 @@
+; when network access is enabled, these policies are added after those in seatbelt_base_policy.sbpl
+; Ref https://source.chromium.org/chromium/chromium/src/+/main:sandbox/policy/mac/network.sb;drc=f8f264d5e4e7509c913f4c60c2639d15905a07e4
+
+(allow network-outbound)
+(allow network-inbound)
+(allow system-socket)
+
+(allow mach-lookup
+    ; Used to look up the _CS_DARWIN_USER_CACHE_DIR in the sandbox.
+    (global-name "com.apple.bsd.dirhelper")
+    (global-name "com.apple.system.opendirectoryd.membership")
+
+    ; Communicate with the security server for TLS certificate information.
+    (global-name "com.apple.SecurityServer")
+    (global-name "com.apple.networkd")
+    (global-name "com.apple.ocspd")
+    (global-name "com.apple.trustd.agent")
+
+    ; Read network configuration.
+    (global-name "com.apple.SystemConfiguration.DNSConfiguration")
+    (global-name "com.apple.SystemConfiguration.configd")
+)
+
+(allow sysctl-read
+  (sysctl-name-regex #"^net.routetable")
+)
+
+(allow file-write*
+  (subpath (param "DARWIN_USER_CACHE_DIR"))
+)
--- a/codex-rs/core/src/spawn.rs
+++ b/codex-rs/core/src/spawn.rs
@@ -64,22 +64,31 @@ pub(crate) async fn spawn_child_async(
    // any child processes that were spawned as part of a `"shell"` tool call
    // to also be terminated.

-    // This relies on prctl(2), so it only works on Linux.
-    #[cfg(target_os = "linux")]
+    #[cfg(unix)]
    unsafe {
+        let parent_pid = libc::getpid();
        cmd.pre_exec(|| {
-            // This prctl call effectively requests, "deliver SIGTERM when my
-            // current parent dies."
-            if libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGTERM) == -1 {
+            if libc::setpgid(0, 0) == -1 {
                return Err(std::io::Error::last_os_error());
            }

-            // Though if there was a race condition and this pre_exec() block is
-            // run _after_ the parent (i.e., the Codex process) has already
-            // exited, then the parent is the _init_ process (which will never
-            // die), so we should just terminate the child process now.
-            if libc::getppid() == 1 {
-                libc::raise(libc::SIGTERM);
+            // This relies on prctl(2), so it only works on Linux.
+            #[cfg(target_os = "linux")]
+            {
+                // This prctl call effectively requests, "deliver SIGTERM when my
+                // current parent dies."
+                if libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGTERM) == -1 {
+                    return Err(std::io::Error::last_os_error());
+                }
+
+                // Though if there was a race condition and this pre_exec() block is
+                // run _after_ the parent (i.e., the Codex process) has already
+                // exited, then parent will be the closest configured "subreaper"
+                // ancestor process, or PID 1 (init). If the Codex process has exited
+                // already, so should the child process.
+                if libc::getppid() != parent_pid {
+                    libc::raise(libc::SIGTERM);
+                }
            }
            Ok(())
        });
--- a/codex-rs/core/src/state/session.rs
+++ b/codex-rs/core/src/state/session.rs
@@ -3,7 +3,7 @@
 use codex_protocol::models::ResponseItem;

 use crate::codex::SessionConfiguration;
-use crate::conversation_history::ConversationHistory;
+use crate::context_manager::ContextManager;
 use crate::protocol::RateLimitSnapshot;
 use crate::protocol::TokenUsage;
 use crate::protocol::TokenUsageInfo;
@@ -11,7 +11,7 @@ use crate::protocol::TokenUsageInfo;
 /// Persistent, session-scoped state previously stored directly on `Session`.
 pub(crate) struct SessionState {
    pub(crate) session_configuration: SessionConfiguration,
-    pub(crate) history: ConversationHistory,
+    pub(crate) history: ContextManager,
    pub(crate) latest_rate_limits: Option<RateLimitSnapshot>,
 }

@@ -20,7 +20,7 @@ impl SessionState {
    pub(crate) fn new(session_configuration: SessionConfiguration) -> Self {
        Self {
            session_configuration,
-            history: ConversationHistory::new(),
+            history: ContextManager::new(),
            latest_rate_limits: None,
        }
    }
@@ -34,7 +34,7 @@ impl SessionState {
        self.history.record_items(items)
    }

-    pub(crate) fn clone_history(&self) -> ConversationHistory {
+    pub(crate) fn clone_history(&self) -> ContextManager {
        self.history.clone()
    }

--- a/codex-rs/core/src/tasks/review.rs
+++ b/codex-rs/core/src/tasks/review.rs
@@ -75,12 +75,12 @@ async fn start_review_conversation(
    // Avoid loading project docs; reviewer only needs findings
    sub_agent_config.project_doc_max_bytes = 0;
    // Carry over review-only feature restrictions so the delegate cannot
-    // re-enable blocked tools (web search, view image, streamable shell).
+    // re-enable blocked tools (web search, view image).
    sub_agent_config
        .features
        .disable(crate::features::Feature::WebSearchRequest)
-        .disable(crate::features::Feature::ViewImageTool)
-        .disable(crate::features::Feature::StreamableShell);
+        .disable(crate::features::Feature::ViewImageTool);
+
    // Set explicit review rubric for the sub-agent
    sub_agent_config.base_instructions = Some(crate::REVIEW_PROMPT.to_string());
    (run_codex_conversation_one_shot(
--- a/codex-rs/core/src/tools/handlers/unified_exec.rs
+++ b/codex-rs/core/src/tools/handlers/unified_exec.rs
@@ -1,8 +1,5 @@
-use std::time::Duration;
-
 use async_trait::async_trait;
 use serde::Deserialize;
-use serde::Serialize;

 use crate::function_tool::FunctionCallError;
 use crate::protocol::EventMsg;
@@ -163,11 +160,7 @@ impl ToolHandler for UnifiedExecHandler {
                .await;
        }

-        let content = serialize_response(&response).map_err(|err| {
-            FunctionCallError::RespondToModel(format!(
-                "failed to serialize unified exec output: {err:?}"
-            ))
-        })?;
+        let content = format_response(&response);

        Ok(ToolOutput::Function {
            content,
@@ -177,32 +170,30 @@ impl ToolHandler for UnifiedExecHandler {
    }
 }

-#[derive(Serialize)]
-struct SerializedUnifiedExecResponse<'a> {
-    chunk_id: &'a str,
-    wall_time_seconds: f64,
-    output: &'a str,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    session_id: Option<i32>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    exit_code: Option<i32>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    original_token_count: Option<usize>,
-}
+fn format_response(response: &UnifiedExecResponse) -> String {
+    let mut sections = Vec::new();

-fn serialize_response(response: &UnifiedExecResponse) -> Result<String, serde_json::Error> {
-    let payload = SerializedUnifiedExecResponse {
-        chunk_id: &response.chunk_id,
-        wall_time_seconds: duration_to_seconds(response.wall_time),
-        output: &response.output,
-        session_id: response.session_id,
-        exit_code: response.exit_code,
-        original_token_count: response.original_token_count,
-    };
+    if !response.chunk_id.is_empty() {
+        sections.push(format!("Chunk ID: {}", response.chunk_id));
+    }

-    serde_json::to_string(&payload)
-}
+    let wall_time_seconds = response.wall_time.as_secs_f64();
+    sections.push(format!("Wall time: {wall_time_seconds:.4} seconds"));

-fn duration_to_seconds(duration: Duration) -> f64 {
-    duration.as_secs_f64()
+    if let Some(exit_code) = response.exit_code {
+        sections.push(format!("Process exited with code {exit_code}"));
+    }
+
+    if let Some(session_id) = response.session_id {
+        sections.push(format!("Process running with session ID {session_id}"));
+    }
+
+    if let Some(original_token_count) = response.original_token_count {
+        sections.push(format!("Original token count: {original_token_count}"));
+    }
+
+    sections.push("Output:".to_string());
+    sections.push(response.output.clone());
+
+    sections.join("\n")
 }
--- a/codex-rs/core/src/tools/mod.rs
+++ b/codex-rs/core/src/tools/mod.rs
@@ -9,7 +9,7 @@ pub mod runtimes;
 pub mod sandboxing;
 pub mod spec;

-use crate::conversation_history::format_output_for_model_body;
+use crate::context_manager::format_output_for_model_body;
 use crate::exec::ExecToolCallOutput;
 pub use router::ToolRouter;
 use serde::Serialize;
--- a/codex-rs/core/src/tools/orchestrator.rs
+++ b/codex-rs/core/src/tools/orchestrator.rs
@@ -54,12 +54,21 @@ impl ToolOrchestrator {
        let mut already_approved = false;

        if needs_initial_approval {
+            let mut risk = None;
+
+            if let Some(metadata) = req.sandbox_retry_data() {
+                risk = tool_ctx
+                    .session
+                    .assess_sandbox_command(turn_ctx, &tool_ctx.call_id, &metadata.command, None)
+                    .await;
+            }
+
            let approval_ctx = ApprovalCtx {
                session: tool_ctx.session,
                turn: turn_ctx,
                call_id: &tool_ctx.call_id,
                retry_reason: None,
-                risk: None,
+                risk,
            };
            let decision = tool.start_approval_async(req, approval_ctx).await;

@@ -83,6 +92,8 @@ impl ToolOrchestrator {
        if tool.wants_escalated_first_attempt(req) {
            initial_sandbox = crate::exec::SandboxType::None;
        }
+        // Platform-specific flag gating is handled by SandboxManager::select_initial
+        // via crate::safety::get_platform_sandbox().
        let initial_attempt = SandboxAttempt {
            sandbox: initial_sandbox,
            policy: &turn_ctx.sandbox_policy,
--- a/codex-rs/core/src/tools/parallel.rs
+++ b/codex-rs/core/src/tools/parallel.rs
@@ -1,4 +1,5 @@
 use std::sync::Arc;
+use std::time::Instant;

 use tokio::sync::RwLock;
 use tokio_util::either::Either;
@@ -53,13 +54,16 @@ impl ToolCallRuntime {
        let turn = Arc::clone(&self.turn_context);
        let tracker = Arc::clone(&self.tracker);
        let lock = Arc::clone(&self.parallel_execution);
-        let aborted_response = Self::aborted_response(&call);
+        let started = Instant::now();
        let readiness = self.turn_context.tool_call_gate.clone();

        let handle: AbortOnDropHandle<Result<ResponseInputItem, FunctionCallError>> =
            AbortOnDropHandle::new(tokio::spawn(async move {
                tokio::select! {
-                    _ = cancellation_token.cancelled() => Ok(aborted_response),
+                    _ = cancellation_token.cancelled() => {
+                        let secs = started.elapsed().as_secs_f32().max(0.1);
+                        Ok(Self::aborted_response(&call, secs))
+                    },
                    res = async {
                        tracing::info!("waiting for tool gate");
                        readiness.wait_ready().await;
@@ -71,7 +75,7 @@ impl ToolCallRuntime {
                        };

                        router
-                            .dispatch_tool_call(session, turn, tracker, call)
+                            .dispatch_tool_call(session, turn, tracker, call.clone())
                            .await
                    } => res,
                }
@@ -91,23 +95,32 @@ impl ToolCallRuntime {
 }

 impl ToolCallRuntime {
-    fn aborted_response(call: &ToolCall) -> ResponseInputItem {
+    fn aborted_response(call: &ToolCall, secs: f32) -> ResponseInputItem {
        match &call.payload {
            ToolPayload::Custom { .. } => ResponseInputItem::CustomToolCallOutput {
                call_id: call.call_id.clone(),
-                output: "aborted".to_string(),
+                output: Self::abort_message(call, secs),
            },
            ToolPayload::Mcp { .. } => ResponseInputItem::McpToolCallOutput {
                call_id: call.call_id.clone(),
-                result: Err("aborted".to_string()),
+                result: Err(Self::abort_message(call, secs)),
            },
            _ => ResponseInputItem::FunctionCallOutput {
                call_id: call.call_id.clone(),
                output: FunctionCallOutputPayload {
-                    content: "aborted".to_string(),
+                    content: Self::abort_message(call, secs),
                    ..Default::default()
                },
            },
        }
    }
+
+    fn abort_message(call: &ToolCall, secs: f32) -> String {
+        match call.tool_name.as_str() {
+            "shell" | "container.exec" | "local_shell" | "unified_exec" => {
+                format!("Wall time: {secs:.1} seconds\naborted by user")
+            }
+            _ => format!("aborted by user after {secs:.1}s"),
+        }
+    }
 }
--- a/codex-rs/core/src/tools/spec.rs
+++ b/codex-rs/core/src/tools/spec.rs
@@ -15,11 +15,11 @@ use serde_json::json;
 use std::collections::BTreeMap;
 use std::collections::HashMap;

-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
 pub enum ConfigShellToolType {
    Default,
    Local,
-    Streamable,
+    UnifiedExec,
 }

 #[derive(Debug, Clone)]
@@ -28,7 +28,6 @@ pub(crate) struct ToolsConfig {
    pub apply_patch_tool_type: Option<ApplyPatchToolType>,
    pub web_search_request: bool,
    pub include_view_image_tool: bool,
-    pub experimental_unified_exec_tool: bool,
    pub experimental_supported_tools: Vec<String>,
 }

@@ -43,18 +42,14 @@ impl ToolsConfig {
            model_family,
            features,
        } = params;
-        let use_streamable_shell_tool = features.enabled(Feature::StreamableShell);
-        let experimental_unified_exec_tool = features.enabled(Feature::UnifiedExec);
        let include_apply_patch_tool = features.enabled(Feature::ApplyPatchFreeform);
        let include_web_search_request = features.enabled(Feature::WebSearchRequest);
        let include_view_image_tool = features.enabled(Feature::ViewImageTool);

-        let shell_type = if use_streamable_shell_tool {
-            ConfigShellToolType::Streamable
-        } else if model_family.uses_local_shell_tool {
-            ConfigShellToolType::Local
+        let shell_type = if features.enabled(Feature::UnifiedExec) {
+            ConfigShellToolType::UnifiedExec
        } else {
-            ConfigShellToolType::Default
+            model_family.shell_type.clone()
        };

        let apply_patch_tool_type = match model_family.apply_patch_tool_type {
@@ -74,7 +69,6 @@ impl ToolsConfig {
            apply_patch_tool_type,
            web_search_request: include_web_search_request,
            include_view_image_tool,
-            experimental_unified_exec_tool,
            experimental_supported_tools: model_family.experimental_supported_tools.clone(),
        }
    }
@@ -162,7 +156,8 @@ fn create_exec_command_tool() -> ToolSpec {
        "yield_time_ms".to_string(),
        JsonSchema::Number {
            description: Some(
-                "How long to wait (in milliseconds) for output before yielding.".to_string(),
+                "Maximum time in milliseconds to wait for output after writing the input (default: 1000)."
+                    .to_string(),
            ),
        },
    );
@@ -252,7 +247,9 @@ fn create_shell_tool() -> ToolSpec {
    properties.insert(
        "timeout_ms".to_string(),
        JsonSchema::Number {
-            description: Some("The timeout for the command in milliseconds".to_string()),
+            description: Some(
+                "The timeout for the command in milliseconds (default: 1000).".to_string(),
+            ),
        },
    );

@@ -886,15 +883,6 @@ pub(crate) fn build_specs(
    let mcp_handler = Arc::new(McpHandler);
    let mcp_resource_handler = Arc::new(McpResourceHandler);

-    let use_unified_exec = config.experimental_unified_exec_tool
-        || matches!(config.shell_type, ConfigShellToolType::Streamable);
-
-    if use_unified_exec {
-        builder.push_spec(create_exec_command_tool());
-        builder.push_spec(create_write_stdin_tool());
-        builder.register_handler("exec_command", unified_exec_handler.clone());
-        builder.register_handler("write_stdin", unified_exec_handler);
-    }
    match &config.shell_type {
        ConfigShellToolType::Default => {
            builder.push_spec(create_shell_tool());
@@ -902,8 +890,11 @@ pub(crate) fn build_specs(
        ConfigShellToolType::Local => {
            builder.push_spec(ToolSpec::LocalShell {});
        }
-        ConfigShellToolType::Streamable => {
-            // Already handled by use_unified_exec.
+        ConfigShellToolType::UnifiedExec => {
+            builder.push_spec(create_exec_command_tool());
+            builder.push_spec(create_write_stdin_tool());
+            builder.register_handler("exec_command", unified_exec_handler.clone());
+            builder.register_handler("write_stdin", unified_exec_handler);
        }
    }

@@ -1045,7 +1036,7 @@ mod tests {
        match config.shell_type {
            ConfigShellToolType::Default => Some("shell"),
            ConfigShellToolType::Local => Some("local_shell"),
-            ConfigShellToolType::Streamable => None,
+            ConfigShellToolType::UnifiedExec => None,
        }
    }

@@ -1095,7 +1086,7 @@ mod tests {
    }

    #[test]
-    fn test_full_toolset_specs_for_gpt5_codex() {
+    fn test_full_toolset_specs_for_gpt5_codex_unified_exec_web_search() {
        let model_family = find_family_for_model("gpt-5-codex")
            .expect("gpt-5-codex should be a valid model family");
        let mut features = Features::with_defaults();
@@ -1129,7 +1120,6 @@ mod tests {
        for spec in [
            create_exec_command_tool(),
            create_write_stdin_tool(),
-            create_shell_tool(),
            create_list_mcp_resources_tool(),
            create_list_mcp_resource_templates_tool(),
            create_read_mcp_resource_tool(),
@@ -1156,32 +1146,106 @@ mod tests {
        }
    }

-    #[test]
-    fn test_build_specs_contains_expected_basics() {
-        let model_family = find_family_for_model("codex-mini-latest")
-            .expect("codex-mini-latest should be a valid model family");
-        let mut features = Features::with_defaults();
-        features.enable(Feature::WebSearchRequest);
-        features.enable(Feature::UnifiedExec);
+    fn assert_model_tools(model_family: &str, features: &Features, expected_tools: &[&str]) {
+        let model_family = find_family_for_model(model_family)
+            .unwrap_or_else(|| panic!("{model_family} should be a valid model family"));
        let config = ToolsConfig::new(&ToolsConfigParams {
            model_family: &model_family,
-            features: &features,
+            features,
        });
        let (tools, _) = build_specs(&config, Some(HashMap::new())).build();
        let tool_names = tools.iter().map(|t| t.spec.name()).collect::<Vec<_>>();
-        assert_eq!(
-            &tool_names,
+        assert_eq!(&tool_names, &expected_tools,);
+    }
+
+    #[test]
+    fn test_build_specs_gpt5_codex_default() {
+        assert_model_tools(
+            "gpt-5-codex",
+            &Features::with_defaults(),
+            &[
+                "shell",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "update_plan",
+                "apply_patch",
+                "view_image",
+            ],
+        );
+    }
+
+    #[test]
+    fn test_build_specs_gpt5_codex_unified_exec_web_search() {
+        assert_model_tools(
+            "gpt-5-codex",
+            Features::with_defaults()
+                .enable(Feature::UnifiedExec)
+                .enable(Feature::WebSearchRequest),
            &[
                "exec_command",
                "write_stdin",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "update_plan",
+                "apply_patch",
+                "web_search",
+                "view_image",
+            ],
+        );
+    }
+
+    #[test]
+    fn test_codex_mini_defaults() {
+        assert_model_tools(
+            "codex-mini-latest",
+            &Features::with_defaults(),
+            &[
                "local_shell",
                "list_mcp_resources",
                "list_mcp_resource_templates",
                "read_mcp_resource",
                "update_plan",
+                "view_image",
+            ],
+        );
+    }
+
+    #[test]
+    fn test_porcupine_defaults() {
+        assert_model_tools(
+            "porcupine",
+            &Features::with_defaults(),
+            &[
+                "exec_command",
+                "write_stdin",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "update_plan",
+                "view_image",
+            ],
+        );
+    }
+
+    #[test]
+    fn test_codex_mini_unified_exec_web_search() {
+        assert_model_tools(
+            "codex-mini-latest",
+            Features::with_defaults()
+                .enable(Feature::UnifiedExec)
+                .enable(Feature::WebSearchRequest),
+            &[
+                "exec_command",
+                "write_stdin",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "update_plan",
                "web_search",
                "view_image",
-            ]
+            ],
        );
    }

--- a/codex-rs/core/src/user_instructions.rs
+++ b/codex-rs/core/src/user_instructions.rs
@@ -3,29 +3,25 @@ use serde::Serialize;

 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
-use codex_protocol::protocol::USER_INSTRUCTIONS_CLOSE_TAG;
-use codex_protocol::protocol::USER_INSTRUCTIONS_OPEN_TAG;

-/// Wraps user instructions in a tag so the model can classify them easily.
+pub const USER_INSTRUCTIONS_OPEN_TAG_LEGACY: &str = "<user_instructions>";
+pub const USER_INSTRUCTIONS_PREFIX: &str = "# AGENTS.md instructions for ";

 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename = "user_instructions", rename_all = "snake_case")]
 pub(crate) struct UserInstructions {
-    text: String,
+    pub directory: String,
+    pub text: String,
 }

 impl UserInstructions {
-    pub fn new<T: Into<String>>(text: T) -> Self {
-        Self { text: text.into() }
-    }
-
-    /// Serializes the user instructions to an XML-like tagged block that starts
-    /// with <user_instructions> so clients can classify it.
-    pub fn serialize_to_xml(self) -> String {
-        format!(
-            "{USER_INSTRUCTIONS_OPEN_TAG}\n\n{}\n\n{USER_INSTRUCTIONS_CLOSE_TAG}",
-            self.text
-        )
+    pub fn is_user_instructions(message: &[ContentItem]) -> bool {
+        if let [ContentItem::InputText { text }] = message {
+            text.starts_with(USER_INSTRUCTIONS_PREFIX)
+                || text.starts_with(USER_INSTRUCTIONS_OPEN_TAG_LEGACY)
+        } else {
+            false
+        }
    }
 }

@@ -35,7 +31,11 @@ impl From<UserInstructions> for ResponseItem {
            id: None,
            role: "user".to_string(),
            content: vec![ContentItem::InputText {
-                text: ui.serialize_to_xml(),
+                text: format!(
+                    "{USER_INSTRUCTIONS_PREFIX}{directory}\n\n<INSTRUCTIONS>\n{contents}\n</INSTRUCTIONS>",
+                    directory = ui.directory,
+                    contents = ui.text
+                ),
            }],
        }
    }
@@ -68,3 +68,51 @@ impl From<DeveloperInstructions> for ResponseItem {
        }
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_user_instructions() {
+        let user_instructions = UserInstructions {
+            directory: "test_directory".to_string(),
+            text: "test_text".to_string(),
+        };
+        let response_item: ResponseItem = user_instructions.into();
+
+        let ResponseItem::Message { role, content, .. } = response_item else {
+            panic!("expected ResponseItem::Message");
+        };
+
+        assert_eq!(role, "user");
+
+        let [ContentItem::InputText { text }] = content.as_slice() else {
+            panic!("expected one InputText content item");
+        };
+
+        assert_eq!(
+            text,
+            "# AGENTS.md instructions for test_directory\n\n<INSTRUCTIONS>\ntest_text\n</INSTRUCTIONS>",
+        );
+    }
+
+    #[test]
+    fn test_is_user_instructions() {
+        assert!(UserInstructions::is_user_instructions(
+            &[ContentItem::InputText {
+                text: "# AGENTS.md instructions for test_directory\n\n<INSTRUCTIONS>\ntest_text\n</INSTRUCTIONS>".to_string(),
+            }]
+        ));
+        assert!(UserInstructions::is_user_instructions(&[
+            ContentItem::InputText {
+                text: "<user_instructions>test_text</user_instructions>".to_string(),
+            }
+        ]));
+        assert!(!UserInstructions::is_user_instructions(&[
+            ContentItem::InputText {
+                text: "test_text".to_string(),
+            }
+        ]));
+    }
+}
--- a/codex-rs/core/templates/compact/history_bridge.md
+++ b/codex-rs/core/templates/compact/history_bridge.md
@@ -1,7 +0,0 @@
-You were originally given instructions from a user over one or more turns. Here were the user messages:
-
-{{ user_messages_text }}
-
-Another language model started to solve this problem and produced a summary of its thinking process. You also have access to the state of the tools that were used by that language model. Use this to build on the work that has already been done and avoid duplicating work. Here is the summary produced by the other language model, use the information in this summary to assist with your own analysis:
-
-{{ summary_text }}
--- a/codex-rs/core/templates/compact/prompt.md
+++ b/codex-rs/core/templates/compact/prompt.md
@@ -1,5 +1,9 @@
-You have exceeded the maximum number of tokens, please stop coding and instead write a short memento message for the next agent. Your note should:
- Summarize what you finished and what still needs work. If there was a recent update_plan call, repeat its steps verbatim.
- List outstanding TODOs with file paths / line numbers so they're easy to find.
- Flag code that needs more tests (edge cases, performance, integration, etc.).
- Record any open bugs, quirks, or setup steps that will make it easier for the next agent to pick up where you left off.
+You are performing a CONTEXT CHECKPOINT COMPACTION. Create a handoff summary for another LLM that will resume the task.
+
+Include:
+- Current progress and key decisions made
+- Important context, constraints, or user preferences
+- What remains to be done (clear next steps)
+- Any critical data, examples, or references needed to continue
+
+Be concise, structured, and focused on helping the next LLM seamlessly continue the work.
--- a/Show More
+++ b/Show More