11 Commits

  • feat(remote-control): add daemon pairing command (#29913)
    ## Why
    
    Users who run Codex remote control through daemon mode can keep the
    daemon running, but they do not have a CLI path to mint the short-lived
    manual pairing code needed to connect another device. Without this
    command, they need to speak app-server JSON-RPC directly.
    
    Related: #25675
    
    ## What Changed
    
    - Added `codex remote-control pair`, which connects to the existing
    daemon control socket and calls `remoteControl/pairing/start` with
    `manualCode: true`.
    - Kept the command non-lifecycle-mutating: it does not start, enable, or
    restart the daemon.
    - Human output labels the manual code as `Pairing code: ...`; `--json`
    preserves the full pairing response.
    - Added daemon socket-client, CLI formatting, and parser coverage.
    
    ## Verification
    
    - `remote_control_client::tests::start_pairing_requests_manual_code`
    verifies the daemon client sends `{ "manualCode": true }` and parses the
    complete response.
    -
    `remote_control_cmd::tests::remote_control_pairing_human_output_labels_the_manual_code`
    verifies the human-facing output.
  • feat(app-server): persist remote-control desired state (#27445)
    ## Why
    
    Remote-control runtime enablement and persisted enrollment preference
    were represented by separate flags. That made startup rehydration, RPC
    persistence, and new-enrollment seeding race with one another, and it
    did not cleanly distinguish runtime-only CLI or daemon starts from
    durable app-server RPC changes.
    
    ## What Changed
    
    - Replace the parallel enablement, seed, and rehydration flags with one
    transport-owned `RemoteControlDesiredState`.
    - Add nullable enrollment-scoped persistence and preserve existing
    preferences during enrollment upserts.
    - Rehydrate plain startup only after auth and client scope resolve,
    without overwriting a concurrent RPC transition.
    - Make ordinary `remoteControl/enable` and `remoteControl/disable`
    durable while retaining `ephemeral: true` for runtime-only callers.
    - Have the daemon explicitly request ephemeral enablement and regenerate
    the app-server schemas.
    
    ## Verification
    
    - Covered migration and `NULL`/`0`/`1` persistence round trips.
    - Covered plain-start rehydration and runtime-only versus durable
    enrollment seeding.
    - Covered durable enable, durable disable, and ephemeral enable through
    app-server RPC.
    - Covered the daemon's exact `{ "ephemeral": true }` request payload.
    
    Related issue: N/A (internal remote-control persistence architecture
    change).
  • Report app-server version in codex doctor (#24311)
    ## Why
    
    We are seeing cases where users have an old background app-server still
    running. `codex doctor` already reports background server state, but
    without the running app-server version it is harder to diagnose
    behaviors that depend on the daemon build.
    
    ## What changed
    
    - Reused the app-server daemon's passive initialize probe through a
    narrow `probe_app_server_version` helper.
    - Updated the `codex doctor` Background Server section to report
    `app-server version: <version>` when the socket is reachable.
    - Preserved the not-running OK behavior and report `app-server version:
    unavailable (<short error>)` when a socket exists but the passive probe
    fails.
  • Improve codex remote-control CLI UX (#22878)
    ## Description
    
    This PR makes `codex remote-control` behave like a foreground CLI
    command by default. Running it now starts remote control, waits for
    readiness, prints a clear status message with the machine name, and
    stays alive until Ctrl-C.
    
    Users who want daemon behavior can use `codex remote-control start`, and
    `codex remote-control stop` now prints concise human-readable output.
    `--json` remains available for scripts.
    
    Implementation-wise, this now verifies the real app-server state instead
    of just assuming startup worked. The CLI starts or connects to
    app-server, probes its control socket, calls the `remoteControl/enable`
    API, and waits for the remote-control status response/notification
    before printing success.
    
    For daemon mode, `codex remote-control start` also reports which managed
    app-server binary was used, including its path and best-effort `codex
    --version`, so failures are easier to diagnose.
    
    ## Examples
    
    Example output:
    ```
    > codex remote-control
    Starting app-server with remote control enabled...
    This machine is available for remote control as com-97826.
    Press Ctrl-C to stop.
    ```
    
    Error case using daemon (currently expected based on our publicly
    released CLI version):
    ```
    > ./target/debug/codex remote-control start
    Starting app-server daemon with remote control enabled...
    Error: app server did not become ready on /Users/owen/.codex/app-server-control/app-server-control.sock
    
    Daemon used app-server:
      path: /Users/owen/.codex/packages/standalone/current/codex
      version: 0.130.0
    
    Managed app-server stderr (/Users/owen/.codex/app-server-daemon/app-server.stderr.log):
      error: unexpected argument '--remote-control' found
      
      Usage: codex app-server [OPTIONS] [COMMAND]
      
      For more information, try '--help'.
    
    Caused by:
        0: failed to connect to /Users/owen/.codex/app-server-control/app-server-control.sock
        1: No such file or directory (os error 2)
    ```
    
    ## What changed
    
    - `codex remote-control` now runs remote control in the foreground and
    prints a Ctrl-C stop hint.
    - `codex remote-control start` starts the daemon and waits for remote
    control readiness before reporting success.
    - `codex remote-control stop` reports stopped/not-running status in
    plain language.
    - Startup failures now include recent managed app-server stderr to make
    daemon issues easier to diagnose.
    - Added coverage for CLI output, readiness waiting, foreground shutdown,
    and stderr log tailing.
  • enable/disable remote control at runtime, not via features (#22578)
    ## Why
    reapplies https://github.com/openai/codex/pull/22386 which was
    previously reverted
    
    Also, introduce `remoteControl/enable` and `remoteControl/disable`
    app-server APIs to toggle on/off remote control at runtime for a given
    running app-server instance.
    
    ## What Changed
    
    - Adds experimental v2 RPCs:
      - `remoteControl/enable`
      - `remoteControl/disable`
    - Adds `RemoteControlRequestProcessor` and routes the new RPCs through
    it instead of `ConfigRequestProcessor`.
    - Adds named `RemoteControlHandle::enable`, `disable`, and `status`
    methods.
    - Makes `remoteControl/enable` return an error when sqlite state DB is
    unavailable, while keeping enrollment/websocket failures as async status
    updates.
    - Adds `AppServerRuntimeOptions.remote_control_enabled` and hidden
    `--remote-control` flags for `codex app-server` and `codex-app-server`.
    - Updates managed daemon startup to use `codex app-server
    --remote-control --listen unix://`.
    - Marks `Feature::RemoteControl` as removed and ignores
    `[features].remote_control`.
    - Updates app-server README entries for the new remote-control methods.
  • Improve remote-control daemon UX (#22562)
    ## Why
    
    `codex remote-control` manages the app-server daemon with
    `remote_control` enabled, but it previously only exposed an implicit
    start path. Once started, there was no obvious top-level
    `remote-control` command for stopping the daemon; users had to know
    about the lower-level `codex app-server daemon stop` command.
    
    The startup failure for missing managed installs was also ambiguous.
    `codex remote-control` and daemon bootstrap require the standalone Codex
    install under `CODEX_HOME/packages/standalone/current/codex`, but the
    old error only said to install Codex first, which is unclear when
    another `codex` binary is already on PATH. Now we add an explicit
    instruction for how to get the standalone Codex install.
    
    ## What changed
    
    - Converts `codex remote-control` into a command group while preserving
    bare `codex remote-control` as the existing start behavior.
    - Adds `codex remote-control start` as the explicit start path.
    - Adds `codex remote-control stop`, which maps to app-server daemon
    stop.
    - Updates the shared daemon managed-install error to name the missing
    standalone path, explain why that install is required, provide the
    installer command, and tell users to rerun the command they just tried.
    
    ## Verification
    
    - `cargo test -p codex-app-server-daemon`
    - `cargo test -p codex-cli`
    - `./target/debug/codex remote-control --help`
  • mark Feature::RemoteControl as removed (#22386)
    ## Why
    
    `remote_control` can appear in `config.toml`, CLI feature overrides, and
    the app-server config APIs. Before this PR, app-server startup treated
    `config.features.enabled(Feature::RemoteControl)` as the signal to start
    remote control ([base
    code](https://github.com/openai/codex/blob/5e3ee5eddfa5333f2e0b011880abf0cbf92bd295/codex-rs/app-server/src/lib.rs#L678-L680)).
    That meant a user with:
    
    ```toml
    [features]
    remote_control = true
    ```
    
    would accidentally opt every app-server process into remote control.
    Remote-control startup should instead be a per-process launch decision
    made by CLI flags.
    
    ## What Changed
    
    - Marks `Feature::RemoteControl` as `Stage::Removed`, keeping
    `remote_control` as a known compatibility key while making it
    config-inert.
    - Adds a hidden `--remote-control` process flag to `codex app-server`
    and standalone `codex-app-server`.
    - Plumbs that flag through
    `AppServerRuntimeOptions.remote_control_enabled` and makes app-server
    startup use only that runtime option to decide whether to start remote
    control.
    - Removes the app-server config mutation hook that reloaded config and
    toggled remote control at runtime.
    - Updates managed daemon spawning to use `codex app-server
    --remote-control --listen unix://` instead of `--enable remote_control`.
    
    Config APIs can still list, read, write, and set `remote_control`; those
    operations just no longer affect remote-control process enrollment.
  • Update codex remote-control to start the daemon (#22218)
    ## Why
    Update `codex remote-control` to use the new app server daemon commands
    instead.
    - if the updater loop is not running, bootstrap the daemon with remote
    control enabled (`codex app-server daemon bootstrap --remote-control`)
    - otherwise, enable the persisted remote-control setting and start the
    daemon normally
  • daemon: refresh updater after validated binary rollout (#21853)
    ## Why
    
    `bootstrap` starts a detached pid-backed updater loop, but before this
    change that updater could keep running an old executable image even
    after `install.sh` replaced the managed standalone binary under
    `CODEX_HOME`. That left the updater itself behind the binary it had just
    rolled out, especially when the app-server was stopped or when the
    managed binary changed without a version-string change.
    
    ## What changed
    
    - Track updater identity from the executable contents rather than only
    the reported CLI version.
    - Force the managed app-server restart path when the managed binary
    contents differ from the running updater image, then re-exec the updater
    from the managed binary once the rollout is in a safe state.
    - Distinguish a genuinely absent managed app-server from a managed
    process that exists but is not yet probeable, so self-refresh does not
    skip a required restart.
    - Keep the restart/re-exec decision under the daemon operation lock so
    `bootstrap` cannot race the handoff.
    - Update `app-server-daemon/README.md` to document the resulting
    standalone and out-of-band update behavior.
    
    ## Verification
    
    - `cargo test -p codex-app-server-daemon`
    - `just fix -p codex-app-server-daemon`
    
    Added focused unit coverage for:
    - content-based updater refresh decisions
    - safe updater re-exec outcomes across restart states
  • [daemon] Add app-server daemon lifecycle management (#20718)
    ## Why
    
    Desktop and mobile Codex clients need a machine-readable way to
    bootstrap and manage `codex app-server` on remote machines reached over
    SSH. The same flow is also useful for bringing up app-server with
    `remote_control` enabled on a fresh developer machine and keeping that
    managed install current without requiring a human session.
    
    ## What changed
    
    - add the new experimental `codex-app-server-daemon` crate and wire it
    into `codex app-server daemon` lifecycle commands: `start`, `restart`,
    `stop`, `version`, and `bootstrap`
    - add explicit `enable-remote-control` and `disable-remote-control`
    commands that persist the launch setting and restart a running managed
    daemon so the change takes effect immediately
    - emit JSON success responses for daemon commands so remote callers can
    consume them directly
    - support a Unix-only pidfile-backed detached backend for lifecycle
    management
    - assume the standalone `install.sh` layout for daemon-managed binaries
    and always launch `CODEX_HOME/packages/standalone/current/codex`
    - add bootstrap support for the standalone managed install plus a
    detached hourly updater loop
    - harden lifecycle management around concurrent operations, pidfile
    ownership, stale state cleanup, updater ownership, managed-binary
    preflight, Unix-only rejection, forced shutdown after the graceful
    window, and updater process-group tracking/cleanup
    - document the experimental Unix-only support boundary plus the
    standalone bootstrap/update flow in
    `codex-rs/app-server-daemon/README.md`
    
    ## Verification
    
    - `cargo test -p codex-app-server-daemon -p codex-cli`
    - live pid validation on `cb4`: `bootstrap --remote-control`, `restart`,
    `version`, `stop`
    
    ## Follow-up
    
    - Add updater self-refresh so the long-lived `pid-update-loop` can
    replace its own executable image after installing a newer managed Codex
    binary.