Commit Graph

5577 Commits

  • chore(guardian) disable mcps and plugins (#18722)
    ## Summary
    Disables apps, plugins, mcps for the guardian subagent thread
    
    ## Testing
    - [x] Added unit tests
  • [codex-analytics] guardian review analytics schema polishing (#17692)
    ## Why
    
    Guardian review analytics needs a Rust event shape that matches the
    backend schema while avoiding unnecessary PII exposure from reviewed
    tool calls. This PR narrows the analytics payload to the fields we
    intend to emit and keeps shared Guardian assessment enums in protocol
    instead of duplicating equivalent analytics-only enums.
    
    ## What changed
    
    - Uses protocol Guardian enums directly for `risk_level`,
    `user_authorization`, `outcome`, and command source values.
    - Removes high-risk reviewed-action fields from the analytics payload,
    including raw commands, display strings, working directories, file
    paths, network targets/hosts, justification text, retry reason, and
    rationale text.
    - Makes `target_item_id` and `tool_call_count` nullable so the Codex
    event can represent cases where the app-server protocol or producer does
    not have those values.
    - Keeps lower-risk structured reviewed-action metadata such as sandbox
    permissions, permission profile, `tty`, `execve` source/program, network
    protocol/port, and MCP connector/tool labels.
    - Adds an analytics reducer/client test covering `codex_guardian_review`
    serialization with an optional `target_item_id` and absent removed
    fields.
    
    ## Verification
    
    - `cargo test -p codex-analytics
    guardian_review_event_ingests_custom_fact_with_optional_target_item`
    - `cargo fmt --check`
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/17692).
    * #17696
    * #17695
    * #17693
    * __->__ #17692
  • [codex] Fix high severity dependency alerts (#18167)
    ## Summary
    - Pin vulnerable npm dependencies through the existing root
    `resolutions` mechanism so the lockfile moves only to patched versions.
    - Refresh `pnpm-lock.yaml` for `@modelcontextprotocol/sdk`,
    `handlebars`, `path-to-regexp`, `picomatch`, `minimatch`, `flatted`,
    `rollup`, and `glob`.
    - Bump `quinn-proto` from `0.11.13` to `0.11.14` and refresh
    `MODULE.bazel.lock`.
    
    ## Testing
    - `corepack pnpm --store-dir .pnpm-store install --frozen-lockfile
    --ignore-scripts`
    - `corepack pnpm audit --audit-level high` (passes; remaining advisories
    are low/moderate)
    - `corepack pnpm -r --filter ./sdk/typescript run build`
    - `corepack pnpm exec eslint 'src/**/*.ts' 'tests/**/*.ts'`
    - `cargo check --locked`
    - `cargo build -p codex-cli`
    - `bazel --output_user_root=/tmp/bazel-codex-dependabot
    --ignore_all_rc_files mod deps --lockfile_mode=error`
    - `just fmt`
    
    Note: `corepack pnpm -r --filter ./sdk/typescript run test` was also
    attempted after building `codex`; it is blocked on this workstation by
    host-managed Codex MDM/auth state (`approval_policy` restrictions and
    ChatGPT/API-key mismatch), not by this dependency change.
  • Update models.json (#18388)
    Automated update of models.json.
    
    ---------
    
    Co-authored-by: aibrahim-oai <219906144+aibrahim-oai@users.noreply.github.com>
    Co-authored-by: Ahmed Ibrahim <aibrahim@openai.com>
  • [codex] Fix agent identity auth test fixture (#18697)
    ## Summary
    - Add the missing `background_task_id: None` field to the
    `AgentIdentityAuthRecord` fixture introduced in `auth_tests.rs`.
    
    ## Why
    - Current `main` fails Bazel/rust-ci compile paths after the
    background-task auth field landed and a later auth test fixture
    constructed `AgentIdentityAuthRecord` without that new field.
    - I intentionally removed the earlier broader CI-stability edits from
    this PR. The code-mode timeout, external-agent migration snapshot, and
    MCP resource timeout failures appear to be general/flaky or unrelated to
    the agent identity merge stack rather than cleanly caused by it.
    
    ## Validation
    - `cargo test -p codex-login
    dummy_chatgpt_auth_does_not_create_cwd_auth_json_when_identity_is_set --
    --nocapture`
    - `just fmt`
  • Remove simple TUI legacy_core reexports (#18631)
    ## Problem
    The TUI still imported path utilities and config-loader symbols through
    app-server-client's legacy_core facade even though those APIs already
    exist in utility/config crates. This is part of our ongoing effort to
    whittle away at these old dependencies.
    
    ## Solution
    Rewire imports to avoid the TUI directly importing from the core crate
    and instead import from common lower-level crates. This PR doesn't
    include any functional changes; it's just a simple rewiring.
  • Wire the PatchUpdated events through app_server (#18289)
    Wires patch_updated events through app_server. These events are parsed
    and streamed while apply_patch is being written by the model. Also adds 500ms of buffering to the patch_updated events in the diff_consumer.
    
    The eventual goal is to use this to display better progress indicators in
    the codex app.
  • Update models.json (#18586)
    - Replace the active models-manager catalog with the deleted core
    catalog contents.
    - Replace stale hardcoded test model slugs with current bundled model
    slugs.
    - Keep this as a stacked change on top of the cleanup PR.
  • refactor: use semaphores for async serialization gates (#18403)
    This is the second cleanup in the await-holding lint stack. The
    higher-level goal, following https://github.com/openai/codex/pull/18178
    and https://github.com/openai/codex/pull/18398, is to enable Clippy
    coverage for guards held across `.await` points without carrying broad
    suppressions.
    
    The stack is working toward enabling Clippy's
    [`await_holding_lock`](https://rust-lang.github.io/rust-clippy/master/index.html#await_holding_lock)
    lint and the configurable
    [`await_holding_invalid_type`](https://rust-lang.github.io/rust-clippy/master/index.html#await_holding_invalid_type)
    lint for Tokio guard types.
    
    Several existing fields used `tokio::sync::Mutex<()>` only as
    one-at-a-time async gates. Those guards intentionally lived across
    `.await` while an operation was serialized. A mutex over `()` suggests
    protected data and trips the await-holding lint shape; a single-permit
    `tokio::sync::Semaphore` expresses the intended serialization directly.
    
    ## What changed
    
    - Replace `Mutex<()>` serialization gates with `Semaphore::new(1)` for
    agent identity ensure, exec policy updates, guardian review session
    reuse, plugin remote sync, managed network proxy refresh, auth token
    refresh, and RMCP session recovery.
    - Update call sites from `lock().await` / `try_lock()` to
    `acquire().await` / `try_acquire()`.
    - Map closed-semaphore errors into the existing local error types, even
    though these semaphores are owned for the lifetime of their managers.
    - Update session test builders for the new
    `managed_network_proxy_refresh_lock` type.
    
    ## Verification
    
    - The split stack was verified at the final lint-enabling head with
    `just clippy`.
    
    
    
    
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/18403).
    * #18698
    * #18423
    * #18418
    * __->__ #18403
  • protocol: canonicalize file system permissions (#18274)
    ## Why
    
    `PermissionProfile` needs stable, canonical file-system semantics before
    it can become the primary runtime permissions abstraction. Without a
    canonical form, callers have to keep re-deriving legacy sandbox maps and
    profile comparisons remain lossy or order-dependent.
    
    ## What changed
    
    This adds canonicalization helpers for `FileSystemPermissions` and
    `PermissionProfile`, expands special paths into explicit sandbox
    entries, and updates permission request/conversion paths to consume
    those canonical entries. It also tightens the legacy bridge so root-wide
    write profiles with narrower carveouts are not silently projected as
    full-disk legacy access.
    
    ## Verification
    
    - `cargo test -p codex-protocol
    root_write_with_read_only_child_is_not_full_disk_write -- --nocapture`
    - `cargo test -p codex-sandboxing permission -- --nocapture`
    - `cargo test -p codex-tui permissions -- --nocapture`
  • codex: move unloaded thread writes into store (#18361)
    - Migrates unloaded `thread/name/set` and `thread/memoryModeSet`
    app-server writes behind the generic
    `ThreadStore::update_thread_metadata` API rather than adding one-off
    store methods for setting thread name or memory mode.
    - Implements the local ThreadStore metadata patch path for thread name
    and memory mode, including rollout append, legacy name index updates,
    SessionMeta validation/update, SQLite reconciliation, and re-reading the
    stored thread.
    - Adds focused local thread-store unit coverage plus app-server
    integration coverage for the migrated unloaded write paths.
  • Surface parent thread status in side conversations (#18591)
    ## Summary
    
    Side conversations can hide important state changes from the parent
    conversation while the user is focused on the side thread. In
    particular, the parent may finish, fail, need user input, or require an
    approval while the side conversation remains visible. Users need a
    lightweight signal for those states, but parent approval overlays should
    not interrupt the side conversation itself.
    
    This change adds parent-conversation status to the side conversation
    context label and defers parent interactive overlays while side mode is
    active. When the user exits side mode, pending parent approvals and
    input requests are restored in the main thread. The pending approval
    footer avoids duplicating the same parent approval status, and replayed
    notice cells are filtered when restoring a pending interactive request
    so tips or warnings do not crowd out the approval prompt.
    
    The change is contained to the TUI side-conversation and thread replay
    paths.
    
    Example 1: Approval pending
    <img width="752" height="35" alt="Screenshot 2026-04-19 at 12 56 07 PM"
    src="https://github.com/user-attachments/assets/1cc0f1a3-9cab-4d60-aed2-96523ccafc20"
    />
    
    Example 2: Turn complete
    <img width="754" height="35" alt="Screenshot 2026-04-19 at 12 56 27 PM"
    src="https://github.com/user-attachments/assets/653521a5-e298-4366-ae1c-72b56eb88eeb"
    />
  • Use app server thread names in TUI picker (#18633)
    ## Problem
    
    The TUI resume/fork picker was backfilling thread names from local
    rollout indexes. This was left over from before the TUI was moved to the
    app server. It should be using app-server APIs because the TUI might be
    connected to a remote connection.
    
    This bug wasn't (yet) reported by a user. I found it by asking Codex to
    review places in the TUI code where it was still directly accessing the
    CODEX_HOME directory rather than going through app-server APIs.
    
    ## Solution
    
    The resume picker and session lookups should use app-server thread APIs
    only. Remove legacy rollout name/list backfills, and avoid local name
    reads in fork history.
    
    ## Testing
    
    I manually tested `codex resume` and `codex resume --all` to look for
    functional or performance regressions in the resume picker.
  • Add verbose diagnostics for /mcp (#18610)
    Fixes #18539.
    
    ## Summary
    The recent `/mcp` performance work kept the default command fast by
    avoiding resource and resource-template inventory probes, but it also
    removed useful diagnostics for users trying to confirm MCP server state.
    
    This keeps bare `/mcp` on the fast tools/auth path and adds `/mcp
    verbose` for the slower diagnostic view. Verbose mode requests full MCP
    server status from the app-server and restores status, resources, and
    resource templates in the TUI output.
    
    ## Testing
    In addition to running automation, I manually tested the feature to
    confirm that it works.
  • fix: auth.json leak in tests (#18657)
    Before this some tests were leaking an auth.json file into
    `codex-rs/core`. This just fixes it
  • [codex] Use background task auth for additional backend calls (#18260)
    ## Summary
    
    Splits the larger PR4.1 background task auth rollout by moving
    additional backend/control-plane call sites into this downstream PR.
    
    This PR keeps callers on the same design as PR4.1: most code asks
    `AuthManager` for the default ChatGPT backend authorization header, and
    `AuthManager` decides bearer vs background AgentAssertion internally.
    Task-pinned inference auth remains separate because it needs the
    thread's registered task id.
    
    ## Stack
    
    - PR1: https://github.com/openai/codex/pull/17385 - add
    `features.use_agent_identity`
    - PR2: https://github.com/openai/codex/pull/17386 - register agent
    identities when enabled
    - PR3: https://github.com/openai/codex/pull/17387 - register agent tasks
    when enabled
    - PR3.1: https://github.com/openai/codex/pull/17978 - persist and
    prewarm registered tasks per thread
    - PR4: https://github.com/openai/codex/pull/17980 - use task-scoped
    `AgentAssertion` for downstream calls
    - PR4.1: https://github.com/openai/codex/pull/18094 - introduce
    AuthManager-owned background/control-plane `AgentAssertion` auth
    - PR4.2: this PR - use background task auth for additional
    backend/control-plane calls
    
    ## What Changed
    
    - pass full authorization header values through backend-client and
    cloud-tasks-client call paths where needed
    - move ChatGPT client, cloud requirements, cloud tasks, thread-manager,
    and models-manager background auth usage into this downstream slice
    - make app-server remote control enrollment/websocket auth ask
    `AuthManager` for the local backend authorization header instead of
    threading a background auth mode through transport options
    - keep the same feature-gated bearer fallback behavior from PR4.1
    
    ## Validation
    
    - `just fmt`
    - `cargo check -p codex-core -p codex-login -p codex-analytics -p
    codex-app-server -p codex-cloud-requirements -p codex-cloud-tasks -p
    codex-models-manager -p codex-chatgpt -p codex-model-provider -p
    codex-mcp -p codex-core-skills`
    - `cargo test -p codex-login agent_identity`
    - `cargo test -p codex-model-provider bearer_auth_provider`
    - `cargo test -p codex-core agent_assertion`
    - `cargo test -p codex-app-server remote_control`
    - `cargo test -p codex-cloud-requirements fetch_cloud_requirements`
    - `cargo test -p codex-models-manager manager::tests`
    - `cargo test -p codex-chatgpt`
    - `cargo test -p codex-cloud-tasks`
    - `just fix -p codex-core -p codex-login -p codex-analytics -p
    codex-app-server -p codex-cloud-requirements -p codex-cloud-tasks -p
    codex-models-manager -p codex-chatgpt -p codex-model-provider -p
    codex-mcp -p codex-core-skills`
    - `just fix -p codex-app-server`
    - `git diff --check`
  • Avoid false shell snapshot cleanup warnings (#18441)
    ## Why
    Fresh app-server thread startup can create a shell snapshot through a
    temp file and then promote it to the final snapshot path. The previous
    implementation briefly wrapped the temp path in `ShellSnapshot`, so
    after a successful rename its `Drop` attempted to delete the old temp
    path and could log a false `ENOENT` warning.
    
    Fixes #17549.
    
    ## What changed
    - Validate the temp snapshot path directly before promotion.
    - Rename the temp path directly to the final snapshot path.
    - Keep explicit cleanup of the temp path on validation or finalization
    failures.
  • [codex] Use background agent task auth for backend calls (#18094)
    ## Summary
    
    Introduces a single background/control-plane agent task for ChatGPT
    backend requests that do not have a thread-scoped task, with
    `AuthManager` owning the default ChatGPT backend authorization decision.
    
    Callers now ask `AuthManager` for the default ChatGPT backend
    authorization header. `AuthManager` decides whether that is bearer or
    background AgentAssertion based on config/internal state, while
    low-level bootstrap paths can explicitly request bearer-only auth.
    
    This PR is stacked on PR4 and focuses on the shared background task auth
    plumbing plus the first tranche of backend/control-plane consumers. The
    remaining callsite wiring is split into PR4.2 to keep review size down.
    
    ## Stack
    
    - PR1: https://github.com/openai/codex/pull/17385 - add
    `features.use_agent_identity`
    - PR2: https://github.com/openai/codex/pull/17386 - register agent
    identities when enabled
    - PR3: https://github.com/openai/codex/pull/17387 - register agent tasks
    when enabled
    - PR3.1: https://github.com/openai/codex/pull/17978 - persist and
    prewarm registered tasks per thread
    - PR4: https://github.com/openai/codex/pull/17980 - use task-scoped
    `AgentAssertion` for downstream calls
    - PR4.1: this PR - introduce AuthManager-owned background/control-plane
    `AgentAssertion` auth
    - PR4.2: https://github.com/openai/codex/pull/18260 - use background
    task auth for additional backend/control-plane calls
    
    ## What Changed
    
    - add background task registration and assertion minting inside
    `codex-login`
    - persist `agent_identity.background_task_id` separately from
    per-session task state
    - make `BackgroundAgentTaskManager` private to `codex-login`; call sites
    do not instantiate or pass it around
    - teach `AuthManager` the ChatGPT backend base URL and feature-derived
    background auth mode from resolved config
    - expose bearer-only helpers for bootstrap/registration/refresh-style
    paths that must not use AgentAssertion
    - wire `AuthManager` default ChatGPT authorization through app listing,
    connector directory listing, remote plugins, MCP status/listing,
    analytics, and core-skills remote calls
    - preserve bearer fallback when the feature is disabled, the backend
    host is unsupported, or background task registration is not available
    
    ## Validation
    
    - `just fmt`
    - `cargo check -p codex-core -p codex-login -p codex-analytics -p
    codex-app-server -p codex-cloud-requirements -p codex-cloud-tasks -p
    codex-models-manager -p codex-chatgpt -p codex-model-provider -p
    codex-mcp -p codex-core-skills`
    - `cargo test -p codex-login agent_identity`
    - `cargo test -p codex-model-provider bearer_auth_provider`
    - `cargo test -p codex-core agent_assertion`
    - `cargo test -p codex-app-server remote_control`
    - `cargo test -p codex-cloud-requirements fetch_cloud_requirements`
    - `cargo test -p codex-models-manager manager::tests`
    - `cargo test -p codex-chatgpt`
    - `cargo test -p codex-cloud-tasks`
    - `just fix -p codex-core -p codex-login -p codex-analytics -p
    codex-app-server -p codex-cloud-requirements -p codex-cloud-tasks -p
    codex-models-manager -p codex-chatgpt -p codex-model-provider -p
    codex-mcp -p codex-core-skills`
    - `just fix -p codex-app-server`
    - `git diff --check`
  • feat: log client use min log level (#18661)
    In the log client, use the log level filter as a minimum severity
    instead of exact match
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • chore: drop review prompt from TUI UX (#18659)
    Due to the app-server rebase of the TUI, the review prompt was leaked
    into the transcript on the TUI
    This is not a security issue but it was bad UX. This PR fixes this
  • feat: add metric to track the number of turns with memory usage (#18662)
    Add a metric `codex.turn.memory` to know if a turn used memories or not.
    This is not part of the other turn metrics as a label to limit
    cardinality
  • feat: chronicle alias (#18651)
    Rename Telepathy to Chronicle and add an alias for backward
    compatibility
  • feat: add --ignore-user-config and --ignore-rules (#18646)
    Add those 2 flags to be able to fully isolate a run of `codex exec` from
    any rules or tools.
    This will be used by Chronicle
  • fix: FS watcher when file does not exist yet (#18492)
    The initial goal of this PR was to stabilise the test
    `fs_watch_allows_missing_file_targets`. After further investigation, it
    turns out that this test was always failing and the unstability was
    coming from a race between timeouts mostly
    
    The goal of the test was to test what happens if a notifier gets
    subscribed while a file does not exist yet. But actually the main code
    was broken and in case of a file not existing yet, the notifier used to
    never notify anything (even if the file ended up being created)
    
    This PR fixes the main code (and the test). For this, we basically watch
    the sup-directory when a file does not exist and refresh on it when the
    files gets created
  • Stabilize marketplace/remove installedRoot test (#17721)
    ## Why
    
    This addresses the review comment from #17751 about `marketplace/remove`
    app-server test portability:
    https://github.com/openai/codex/pull/17751#discussion_r3104378613
    
    The API returns the removed installed root using the app-server's
    effective `CODEX_HOME`. On macOS, temporary directory paths can appear
    as either `/var/...` or `/private/var/...`, so comparing one raw path
    against another can fail even when `marketplace/remove` behaves
    correctly.
    
    ## What changed
    
    - Removed the direct whole-response equality assertion for the installed
    root path.
    - Asserted the stable response field, `marketplace_name`, directly.
    - Compared the expected and returned installed-root paths after
    canonicalizing their existing parent directories, which avoids requiring
    the removed leaf directory to still exist.
    
    ## Verification
    
    - `cargo test -p codex-app-server
    marketplace_remove_deletes_config_and_installed_root`
    - `cargo test -p codex-app-server marketplace_remove`
  • chore: morpheus to path (#18353)
    Make the morpheus agent (which is the phase 2 memories agent) follow the
    agent-v2 path system by naming it `/morpheus`. To maintain the path
    primitive this means moving it to a dedicated `AgentControl`
    
    Co-authored-by: Codex <noreply@openai.com>
  • feat: add mem 2 agent header (#18644)
    Add a header to memory phase 2 agent for analytics
  • [codex] Add marketplace/remove app-server RPC (#17751)
    ## Summary
    
    Add a new app-server `marketplace/remove` RPC on top of the shared
    marketplace-remove implementation.
    
    This change:
    - adds `MarketplaceRemoveParams` / `MarketplaceRemoveResponse` to the
    app-server protocol
    - wires the new request through `codex_message_processor`
    - reuses the shared core marketplace-remove flow from the stacked
    refactor PR
    - updates generated schema files and adds focused app-server coverage
    
    ## Validation
    
    - `just write-app-server-schema`
    - `just fmt`
    - heavy compile/test coverage deferred to GitHub CI per request
  • [codex] Use AgentAssertion downstream behind use_agent_identity (#17980)
    ## Summary
    
    This is the AgentAssertion downstream slice for feature-gated agent
    identity support, replacing the oversized AgentAssertion slice from PR
    #17807.
    
    It isolates task-scoped downstream AgentAssertion wiring on top of the
    merged PR3.1 work without re-carrying the earlier agent registration,
    task registration, or task-state history.
    
    This PR includes the task-scoped bug-fix call sites from the review:
    generic file upload auth, MCP OpenAI file upload auth, and ARC monitor
    auth. Broader user/control-plane calls move to PR4.1 and PR4.2.
    
    ## Stack
    
    - PR1: https://github.com/openai/codex/pull/17385 - add
    `features.use_agent_identity`
    - PR2: https://github.com/openai/codex/pull/17386 - register agent
    identities when enabled
    - PR3: https://github.com/openai/codex/pull/17387 - register agent tasks
    when enabled
    - PR3.1: https://github.com/openai/codex/pull/17978 - persist and
    prewarm registered tasks per thread
    - PR4: this PR - use task-scoped `AgentAssertion` downstream when
    enabled
    - PR4.1: https://github.com/openai/codex/pull/18094 - introduce
    AuthManager-owned background/control-plane `AgentAssertion` auth
    - PR4.2: https://github.com/openai/codex/pull/18260 - use background
    task auth for additional backend/control-plane calls
    
    ## What Changed
    
    - add AgentAssertion envelope generation in `codex-core`
    - route downstream HTTP and websocket auth through AgentAssertion when
    an agent task is present
    - extend the model-provider auth provider so non-bearer authorization
    schemes can be passed through cleanly
    - make generic file uploads attach the full authorization header value
    - make MCP OpenAI file uploads use the cached thread agent task
    assertion when present
    - make ARC monitor calls use the cached thread agent task assertion when
    present
    
    ## Why
    
    The original PR had drifted ancestry and showed a much larger diff than
    the semantic change actually required. Restacking it onto PR3.1 keeps
    the reviewable surface down to the downstream assertion slice.
    
    ## Validation
    
    - `just fmt`
    - `cargo check -p codex-core -p codex-login -p codex-analytics -p
    codex-app-server -p codex-cloud-requirements -p codex-cloud-tasks -p
    codex-models-manager -p codex-chatgpt -p codex-model-provider -p
    codex-mcp -p codex-core-skills`
    - `cargo test -p codex-model-provider bearer_auth_provider`
    - `cargo test -p codex-core agent_assertion`
    - `cargo test -p codex-app-server remote_control`
    - `cargo test -p codex-cloud-requirements fetch_cloud_requirements`
    - `cargo test -p codex-models-manager manager::tests`
    - `cargo test -p codex-chatgpt`
    - `cargo test -p codex-cloud-tasks`
    - `cargo test -p codex-login agent_identity`
    - `just fix -p codex-core -p codex-login -p codex-analytics -p
    codex-app-server -p codex-cloud-requirements -p codex-cloud-tasks -p
    codex-models-manager -p codex-chatgpt -p codex-model-provider -p
    codex-mcp -p codex-core-skills`
    - `just fix -p codex-app-server`
    - `git diff --check`
  • [codex] Add workspace owner usage nudge UI (#18221)
    ## Summary
    
    Third PR in the split from #17956. Stacked on #18220.
    
    - shows workspace-owner/member-specific rate-limit messages behind
    `workspace_owner_usage_nudge`
    - prompts workspace members to notify the owner or request a usage-limit
    increase
    - sends the confirmed nudge through the app-server API and renders
    completion feedback
    - adds focused TUI snapshot coverage for prompts and completion states
    - feature gate
    
    ## Validation
    
    - `cargo test -p codex-backend-client`
    - `cargo test -p codex-app-server-protocol`
    - `cargo test -p codex-app-server rate_limits`
    - `cargo test -p codex-tui workspace_`
    - `cargo test -p codex-tui status_`
    - `just fmt`
    - `just fix -p codex-backend-client`
    - `just fix -p codex-app-server-protocol`
    - `just fix -p codex-app-server`
    - `just fix -p codex-tui`
  • TUI: remove simple legacy_core re-exports (#18605)
    ## Summary
    
    The TUI still imported several symbols through the transitional
    app-server-client `legacy_core` facade even though those symbols are
    already owned by smaller crates. This PR narrows that facade by rewiring
    those imports directly to their owner crates.
    
    ## Changes
    
    No functional changes, just import rewiring. This is part of our ongoing
    effort to whittle away at the `legacy_core` namespace, which represents
    all of the remaining symbols that the TUI imports from the core.
  • Use thread IDs in TUI resume hints (#18440)
    ## Summary
    
    Fixes #18313.
    
    Recent TUI resume breadcrumbs could print a thread title instead of the
    stable thread UUID. For sessions whose title was auto-derived from the
    first prompt, that made the suggested codex resume command look like it
    should resume a long prompt rather than the session ID.
    
    This updates the TUI and CLI post-exit resume hints, plus the in-session
    summary shown when switching/forking threads, to always use the stable
    thread ID for these recovery breadcrumbs. Explicit name-based resume
    support remains available elsewhere.
  • fix(guardian) disable skills message in guardian thread (#18599)
    ## Summary
    Remove the skills message from the guardian dev message
    
    ## Test Plan
    - [x] Ran locally
    - [x] Added unit test
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • chore(multiagent) skills instructions toggle (#18596)
    ## Summary
    Support toggling the skills message off.
    
    ## Test Plan
    - [x] Updated unit tests
  • Soften Fast mode plan usage copy (#18601)
    Fast mode TUI copy currently names a specific plan-usage multiplier in
    two lightweight promo/help surfaces. This swaps that exact multiplier
    language for the broader increased plan usage wording we use elsewhere.
    
    There are no behavior changes here; the slash command and startup tip
    still point users at the same Fast mode flow.
  • Persist and prewarm agent tasks per thread (#17978)
    ## Summary
    - persist registered agent tasks in the session state update stream so
    the thread can reuse them
    - prewarm task registration once identity registration succeeds, while
    keeping startup failures best-effort
    - isolate the session-side task lifecycle into a dedicated module so
    AgentIdentityManager and RegisteredAgentTask do not leak across as many
    core layers
    
    ## Testing
    - cargo test -p codex-core startup_agent_task_prewarm
    - cargo test -p codex-core
    cached_agent_task_for_current_identity_clears_stale_task
    - cargo test -p codex-core record_initial_history_
  • Filter Windows sandbox roots from SSH config dependencies (#18493)
    ## Stack
    
    1. Base PR: #18443 stops granting ACLs on `USERPROFILE`.
    2. This PR: filters additional SSH-owned profile roots discovered from
    SSH config.
    
    ## Bug
    
    The base PR removes the broadest bad grant: `USERPROFILE` itself.
    
    That still leaves one important case. A user profile child can be
    SSH-owned even when its name is not one of our fixed exclusions.
    
    For example:
    
    ```sshconfig
    Host devbox
      IdentityFile ~/.keys/devbox
      CertificateFile ~/.certs/devbox-cert.pub
      UserKnownHostsFile ~/.known_hosts_custom
      Include ~/.ssh/conf.d/*.conf
    ```
    
    After profile expansion, the sandbox might see these as normal profile
    children:
    
    ```text
    C:\Users\me\.keys
    C:\Users\me\.certs
    C:\Users\me\.known_hosts_custom
    C:\Users\me\.ssh
    ```
    
    Those paths have another owner: OpenSSH and the tools that manage SSH
    identity and host-key state. Codex should not add sandbox ACLs to them.
    
    OpenSSH describes this dependency tree in
    [`ssh_config(5)`](https://man.openbsd.org/ssh_config.5), and the client
    parser follows the same shape in `readconf.c`:
    
    - `Include` recursively reads more config files and expands globs
    - `IdentityFile` and `CertificateFile` name authentication files
    - `UserKnownHostsFile`, `GlobalKnownHostsFile`, and `RevokedHostKeys`
    name host-key files
    - `ControlPath` and `IdentityAgent` can name profile-owned sockets or
    control files
    - these path directives can use forms such as `~`, `%d`, and `${HOME}`
    
    ## Change
    
    This PR adds a small SSH config dependency scanner.
    
    It starts at:
    
    ```text
    ~/.ssh/config
    ```
    
    Then it returns concrete paths named by `Include` and by path-valued SSH
    config directives:
    
    ```text
    IdentityFile
    CertificateFile
    UserKnownHostsFile
    GlobalKnownHostsFile
    RevokedHostKeys
    ControlPath
    IdentityAgent
    ```
    
    For example:
    
    ```sshconfig
    IdentityFile ~/.keys/devbox
    CertificateFile ~/.certs/devbox-cert.pub
    Include ~/.ssh/conf.d/*.conf
    ```
    
    returns paths like:
    
    ```text
    C:\Users\me\.keys\devbox
    C:\Users\me\.certs\devbox-cert.pub
    C:\Users\me\.ssh\conf.d\devbox.conf
    ```
    
    The setup code then maps those paths back to their top-level
    `USERPROFILE` child and filters matching sandbox roots out of both the
    writable and readable root lists.
    
    ## Why this shape
    
    The parser reports what SSH config references. The sandbox setup code
    decides which `USERPROFILE` roots are unsafe to grant.
    
    That keeps the policy simple:
    
    1. expand broad profile grants
    2. remove the profile root
    3. remove fixed sensitive profile folders
    4. remove profile folders referenced by SSH config dependencies
    
    If a path has two possible owners, the sandbox steps back. SSH keeps
    control of SSH config, keys, certificates, known-hosts files, sockets,
    and included config files.
    
    ## Tests
    
    - `cargo test -p codex-windows-sandbox --lib`
    - `just bazel-lock-check`
    - `just fix -p codex-windows-sandbox`
    - `git diff --check`
  • Do not grant Windows sandbox ACLs on USERPROFILE (#18443)
    ## Stack
    
    1. This PR: expand and filter `USERPROFILE` roots.
    2. Follow-up: #18493 filters SSH config dependency roots on top of this
    base.
    
    ## Bug
    
    On Windows, Codex can grant the sandbox ACL access to the whole user
    profile directory.
    
    That means the sandbox ACL can be applied under paths like:
    
    ```text
    C:\Users\me\.ssh
    C:\Users\me\.tsh
    ```
    
    This breaks SSH. Windows OpenSSH checks permissions on SSH config and
    key material. If Codex adds a sandbox group ACL to those files, OpenSSH
    can reject the config or keys.
    
    The bad interaction is:
    
    1. Codex asks the Windows sandbox to grant access to `USERPROFILE`.
    2. The sandbox applies ACLs under that root.
    3. SSH-owned files get an extra ACL entry.
    4. OpenSSH rejects those files because their permissions are no longer
    strict enough.
    
    ## Why this happens more now
    
    Codex now has more flows that naturally start in the user profile:
    
    - a new chat can start in the user directory
    - a project can be rooted in the user directory
    - a user can start the Codex CLI from the user directory
    
    Those are valid user actions. The bug is that `USERPROFILE` is too broad
    a sandbox root.
    
    ## Change
    
    This PR keeps the useful behavior of starting from the user profile
    without granting the profile root itself.
    
    The new flow is:
    
    1. collect the normal read and write roots
    2. if a root is exactly `USERPROFILE`, replace it with the direct
    children of `USERPROFILE`
    3. remove `USERPROFILE` itself from the final root list
    4. apply the existing user-profile read exclusions to both read and
    write roots
    5. add `.tsh` and `.brev` to that exclusion list
    
    So this input:
    
    ```text
    C:\Users\me
    ```
    
    becomes roots like:
    
    ```text
    C:\Users\me\Desktop
    C:\Users\me\Documents
    C:\Users\me\Downloads
    ```
    
    and does not include:
    
    ```text
    C:\Users\me
    C:\Users\me\.ssh
    C:\Users\me\.tsh
    C:\Users\me\.brev
    ```
    
    If `USERPROFILE` cannot be listed, expansion falls back to the profile
    root and the later filter removes it. That keeps the failure mode closed
    for this bug.
    
    ## Why this shape
    
    The sandbox still gets access to ordinary profile folders when the user
    starts from home.
    
    The sandbox no longer grants access to the profile root itself.
    
    All filtering happens after expansion, for both read and write roots.
    That gives us one simple rule: expand broad profile grants first, then
    remove roots the sandbox must not own.
    
    ## Tests
    
    - `just fmt`
    - `cargo test -p codex-windows-sandbox`
    - `just fix -p codex-windows-sandbox`
    - `git diff --check`
  • Avoid redundant memory enable notice (#18580)
    ## Summary
    
    Fixes #18554.
    
    The `/experimental` menu can submit the full experimental feature state
    even when the user presses Enter without toggling anything. Previously,
    Codex showed `Memories will be enabled in the next session.` whenever
    the submitted updates included `Feature::MemoryTool = true`, so sessions
    where Memories were already enabled could show a redundant warning on a
    no-op save.
    
    This change records whether `Feature::MemoryTool` was enabled before
    applying feature updates and only emits the next-session notice when
    Memories actually transitions from disabled to enabled.
  • Add /side conversations (#18190)
    The TUI supports long-running turns and agent threads, but quick side
    questions have required interrupting the main flow or manually
    forking/navigating threads. This PR adds a guarded `/side` flow so users
    can ask brief side-conversation questions in an ephemeral fork while
    keeping the primary thread focused. This also helps address the feature
    request in #18125.
    
    The implementation creates one side conversation at a time, lets `/side`
    open either an empty side thread or immediately submit `/side
    <question>`, and returns to the parent with Esc or Ctrl+C. Side
    conversations get hidden developer guardrails that treat inherited
    history as reference-only and steer the model away from workspace
    mutations unless explicitly requested in the side conversation.
    
    The TUI hides most slash commands while side mode is active, leaving
    only `/copy`, `/diff`, `/mention`, and `/status` available there.
  • Remove unused models.json (#18585)
    - Remove the stale core models catalog.
    - Update the release workflow to refresh the active models-manager
    catalog.
  • Log realtime session id (#18571)
    - Log the actual realtime session id when the session.updated event
    arrives.
  • Queue slash and shell prompts in the TUI (#18542)
    ## Why
    
    Users have asked to queue follow-up slash commands while a task is
    running, including in #14081, #14588, #14286, and #13779. The previous
    TUI behavior validated slash commands immediately, so commands that are
    only meaningful once the current turn is idle could not be queued
    consistently.
    
    The queue should preserve what the user typed and defer command parsing
    until the item is actually dispatched. This also gives `/fast`, `/review
    ...`, `/rename ...`, `/model`, `/permissions`, and similar slash
    workflows the same FIFO behavior as plain queued prompts.
    
    ## What Changed
    
    - Added a queued-input action enum so queued items can be dispatched as
    plain prompts, slash commands, or user shell commands.
    - Changed `Tab` queueing to accept slash-led prompts without validating
    them up front, then parse and dispatch them when dequeued.
    - Added `!` shell-command queueing for `Tab` while a task is running,
    while preserving existing `Enter` behavior for immediate shell
    execution.
    - Moved queued slash dispatch through shared slash-command parsing so
    inline commands, unavailable commands, unknown commands, and local
    config commands report at dequeue time.
    - Continued queue draining after local-only actions and after slash menu
    cancellation or selection when no task is running.
    - Preserved slash-popup completion behavior so `/mo<Tab>` completes to
    `/model ` instead of queueing the prefix.
    - Updated pending-input preview snapshots to show queued follow-up
    inputs.
    
    ## Verification
    
    I did a bunch of manual validation (and found and fixed a few bugs along
    the way).