Commit Graph

389 Commits

  • fix: TUI was not honoring --skip-git-repo-check correctly (#1105)
    I discovered that if I ran `codex <PROMPT>` in a cwd that was not a Git
    repo, Codex did not automatically run `<PROMPT>` after I accepted the
    Git warning. It appears that we were not managing the `AppState`
    transition correctly, so this fixes the bug and ensures the Codex
    session does not start until the user accepts the Git warning.
    
    In particular, we now create the `ChatWidget` lazily and store it in the
    `AppState::Chat` variant.
  • fix: overhaul how we spawn commands under seccomp/landlock on Linux (#1086)
    Historically, we spawned the Seatbelt and Landlock sandboxes in
    substantially different ways:
    
    For **Seatbelt**, we would run `/usr/bin/sandbox-exec` with our policy
    specified as an arg followed by the original command:
    
    
    https://github.com/openai/codex/blob/d1de7bb383552e8fadd94be79d65d188e00fd562/codex-rs/core/src/exec.rs#L147-L219
    
    For **Landlock/Seccomp**, we would do
    `tokio::runtime::Builder::new_current_thread()`, _invoke
    Landlock/Seccomp APIs to modify the permissions of that new thread_, and
    then spawn the command:
    
    
    https://github.com/openai/codex/blob/d1de7bb383552e8fadd94be79d65d188e00fd562/codex-rs/core/src/exec_linux.rs#L28-L49
    
    While it is neat that Landlock/Seccomp supports applying a policy to
    only one thread without having to apply it to the entire process, it
    requires us to maintain two different codepaths and is a bit harder to
    reason about. The tipping point was
    https://github.com/openai/codex/pull/1061, in which we had to start
    building up the `env` in an unexpected way for the existing
    Landlock/Seccomp approach to continue to work.
    
    This PR overhauls things so that we do similar things for Mac and Linux.
    It turned out that we were already building our own "helper binary"
    comparable to Mac's `sandbox-exec` as part of the `cli` crate:
    
    
    https://github.com/openai/codex/blob/d1de7bb383552e8fadd94be79d65d188e00fd562/codex-rs/cli/Cargo.toml#L10-L12
    
    We originally created this to build a small binary to include with the
    Node.js version of the Codex CLI to provide support for Linux
    sandboxing.
    
    Though the sticky bit is that, at this point, we still want to deploy
    the Rust version of Codex as a single, standalone binary rather than a
    CLI and a supporting sandboxing binary. To satisfy this goal, we use
    "the arg0 trick," in which we:
    
    * use `std::env::current_exe()` to get the path to the CLI that is
    currently running
    * use the CLI as the `program` for the `Command`
    * set `"codex-linux-sandbox"` as arg0 for the `Command`
    
    A CLI that supports sandboxing should check arg0 at the start of the
    program. If it is `"codex-linux-sandbox"`, it must invoke
    `codex_linux_sandbox::run_main()`, which runs the CLI as if it were
    `codex-linux-sandbox`. When acting as `codex-linux-sandbox`, we make the
    appropriate Landlock/Seccomp API calls and then use `execvp(3)` to spawn
    the original command, so do _replace_ the process rather than spawn a
    subprocess. Incidentally, we do this before starting the Tokio runtime,
    so the process should only have one thread when `execvp(3)` is called.
    
    Because the `core` crate that needs to spawn the Linux sandboxing is not
    a CLI in its own right, this means that every CLI that includes `core`
    and relies on this behavior has to (1) implement it and (2) provide the
    path to the sandboxing executable. While the path is almost always
    `std::env::current_exe()`, we needed to make this configurable for
    integration tests, so `Config` now has a `codex_linux_sandbox_exe:
    Option<PathBuf>` property to facilitate threading this through,
    introduced in https://github.com/openai/codex/pull/1089.
    
    This common pattern is now captured in
    `codex_linux_sandbox::run_with_sandbox()` and all of the `main.rs`
    functions that should use it have been updated as part of this PR.
    
    The `codex-linux-sandbox` crate added to the Cargo workspace as part of
    this PR now has the bulk of the Landlock/Seccomp logic, which makes
    `core` a bit simpler. Indeed, `core/src/exec_linux.rs` and
    `core/src/landlock.rs` were removed/ported as part of this PR. I also
    moved the unit tests for this code into an integration test,
    `linux-sandbox/tests/landlock.rs`, in which I use
    `env!("CARGO_BIN_EXE_codex-linux-sandbox")` as the value for
    `codex_linux_sandbox_exe` since `std::env::current_exe()` is not
    appropriate in that case.
  • feat: add codex_linux_sandbox_exe: Option<PathBuf> field to Config (#1089)
    https://github.com/openai/codex/pull/1086 is a work-in-progress to make
    Linux sandboxing work more like Seatbelt where, for the command we want
    to sandbox, we build up the command and then hand it, and some sandbox
    configuration flags, to another command to set up the sandbox and then
    run it.
    
    In the case of Seatbelt, macOS provides this helper binary and provides
    it at `/usr/bin/sandbox-exec`. For Linux, we have to build our own and
    pass it through (which is what #1086 does), so this makes the new
    `codex_linux_sandbox_exe` available on `Config` so that it will later be
    available in `exec.rs` when we need it in #1086.
  • fix: for the @native release of the Node module, use the Rust version by default (#1084)
    Added logic so that when we run `./scripts/stage_release.sh --native`
    (for the `@native` version of the Node module), we drop a `use-native`
    file next to `codex.js`. If present, `codex.js` will now run the Rust
    CLI.
    
    Ran `./scripts/stage_release.sh --native` and verified that when the
    running `codex.js` in the staged folder:
    
    ```
    $ /var/folders/wm/f209bc1n2bd_r0jncn9s6j_00000gp/T/tmp.efvEvBlSN6/bin/codex.js --version
    codex-cli 0.0.2505220956
    ```
    
    it ran the expected Rust version of the CLI, as desired.
    
    While here, I also updated the Rust version to one that I cut today,
    which includes the new shell environment policy config option:
    https://github.com/openai/codex/pull/1061. Note this may "break" some
    users if the processes spawned by Codex need extra environment
    variables. (We are still working to determine what the right defaults
    should be for this option.)
  • feat: introduce support for shell_environment_policy in config.toml (#1061)
    To date, when handling `shell` and `local_shell` tool calls, we were
    spawning new processes using the environment inherited from the Codex
    process itself. This means that the sensitive `OPENAI_API_KEY` that
    Codex needs to talk to OpenAI models was made available to everything
    run by `shell` and `local_shell`. While there are cases where that might
    be useful, it does not seem like a good default.
    
    This PR introduces a complex `shell_environment_policy` config option to
    control the `env` used with these tool calls. It is inevitably a bit
    complex so that it is possible to override individual components of the
    policy so without having to restate the entire thing.
    
    Details are in the updated `README.md` in this PR, but here is the
    relevant bit that explains the individual fields of
    `shell_environment_policy`:
    
    | Field | Type | Default | Description |
    | ------------------------- | -------------------------- | ------- |
    -----------------------------------------------------------------------------------------------------------------------------------------------
    |
    | `inherit` | string | `core` | Starting template for the
    environment:<br>`core` (`HOME`, `PATH`, `USER`, …), `all` (clone full
    parent env), or `none` (start empty). |
    | `ignore_default_excludes` | boolean | `false` | When `false`, Codex
    removes any var whose **name** contains `KEY`, `SECRET`, or `TOKEN`
    (case-insensitive) before other rules run. |
    | `exclude` | array&lt;string&gt; | `[]` | Case-insensitive glob
    patterns to drop after the default filter.<br>Examples: `"AWS_*"`,
    `"AZURE_*"`. |
    | `set` | table&lt;string,string&gt; | `{}` | Explicit key/value
    overrides or additions – always win over inherited values. |
    | `include_only` | array&lt;string&gt; | `[]` | If non-empty, a
    whitelist of patterns; only variables that match _one_ pattern survive
    the final step. (Generally used with `inherit = "all"`.) |
    
    
    In particular, note that the default is `inherit = "core"`, so:
    
    * if you have extra env variables that you want to inherit from the
    parent process, use `inherit = "all"` and then specify `include_only`
    * if you have extra env variables where you want to hardcode the values,
    the default `inherit = "core"` will work fine, but then you need to
    specify `set`
    
    This configuration is not battle-tested, so we will probably still have
    to play with it a bit. `core/src/exec_env.rs` has the critical business
    logic as well as unit tests.
    
    Though if nothing else, previous to this change:
    
    ```
    $ cargo run --bin codex -- debug seatbelt -- printenv OPENAI_API_KEY
    # ...prints OPENAI_API_KEY...
    ```
    
    But after this change it does not print anything (as desired).
    
    One final thing to call out about this PR is that the
    `configure_command!` macro we use in `core/src/exec.rs` has to do some
    complex logic with respect to how it builds up the `env` for the process
    being spawned under Landlock/seccomp. Specifically, doing
    `cmd.env_clear()` followed by `cmd.envs(&$env_map)` (which is arguably
    the most intuitive way to do it) caused the Landlock unit tests to fail
    because the processes spawned by the unit tests started failing in
    unexpected ways! If we forgo `env_clear()` in favor of updating env vars
    one at a time, the tests still pass. The comment in the code talks about
    this a bit, and while I would like to investigate this more, I need to
    move on for the moment, but I do plan to come back to it to fully
    understand what is going on. For example, this suggests that we might
    not be able to spawn a C program that calls `env_clear()`, which would
    be...weird. We may still have to fiddle with our Landlock config if that
    is the case.
  • feat: show Config overview at start of exec (#1073)
    Now the `exec` output starts with something like:
    
    ```
    --------
    workdir:  /Users/mbolin/code/codex/codex-rs
    model:  o3
    provider:  openai
    approval:  Never
    sandbox:  SandboxPolicy { permissions: [DiskFullReadAccess, DiskWritePlatformUserTempFolder, DiskWritePlatformGlobalTempFolder, DiskWriteCwd, DiskWriteFolder { folder: "/Users/mbolin/.pyenv/shims" }] }
    --------
    ```
    
    which makes it easier to reason about when looking at logs.
  • chore: move types out of config.rs into config_types.rs (#1054)
    `config.rs` is already quite long without these definitions. Since they
    have no real dependencies of their own, let's move them to their own
    file so `config.rs` can focus on the business logic of loading a config.
  • feat: experimental --output-last-message flag to exec subcommand (#1037)
    This introduces an experimental `--output-last-message` flag that can be
    used to identify a file where the final message from the agent will be
    written. Two use cases:
    
    - Ultimately, we will likely add a `--quiet` option to `exec`, but even
    if the user does not want any output written to the terminal, they
    probably want to know what the agent did. Writing the output to a file
    makes it possible to get that information in a clean way.
    - Relatedly, when using `exec` in CI, it is easier to review the
    transcript written "normally," (i.e., not as JSON or something with
    extra escapes), but getting programmatic access to the last message is
    likely helpful, so writing the last message to a file gets the best of
    both worlds.
    
    I am calling this "experimental" because it is possible that we are
    overfitting and will want a more general solution to this problem that
    would justify removing this flag.
  • chore: produce .tar.gz versions of artifacts in addition to .zst (#1036)
    For sparse containers/environments that do not have `zstd`, provide
    `.tar.gz` as alternative archive format.
  • bump(version): 0.1.2505172129 (#1008)
    ## `0.1.2505172129`
    
    ### 🪲 Bug Fixes
    
    - Add node version check (#1007)
    - Persist token after refresh (#1006)
  • fix: persist token after refresh (#1006)
    After a token refresh/exchange, persist the new refresh and id token
  • bump(version): 0.1.2505171619 (#1001)
    ## `0.1.2505171619`
    
    - `codex --login` + `codex --free` (#998)
  • add: codex --login + codex --free (#998)
    ## Summary
    - add `--login` and `--free` flags to cli help
    - handle `--login` and `--free` logic in cli
    - factor out redeem flow into `maybeRedeemCredits`
    - call new helper from login callback
  • chore: update install_native_deps.sh to use rust-v0.0.2505171051 (#995)
    Use a more recent built of the Rust binaries to include with the Node
    module.
  • fix: artifacts from previous frames were bleeding through in TUI (#989)
    Prior to this PR, I would frequently see glyphs from previous frames
    "bleed" through like this:
    
    
    ![image](https://github.com/user-attachments/assets/8784b3d7-f691-4df6-8666-34e2f134ee85)
    
    I think this was due to two issues (now addressed in this PR):
    
    * We were not making use of `ratatui::widgets::Clear` to clear out the
    buffer before drawing into it.
    * To calculate the `width` used with `wrapped_line_count_for_cell()`, we
    were not accounting for the scrollbar.
    * Now we calculate `effective_width` using
    `inner.width.saturating_sub(1)` where the `1` is for the scrollbar.
    * We compute `text_area` using `effective_with` and pass the `text_area`
    to `paragraph.render()`.
    * We eliminate the conditional `needs_scrollbar` check and always call
    `render(Scrollbar)`
    
    I suspect this bug was introduced in
    https://github.com/openai/codex/pull/937, though I did not try to
    verify: I'm just happy that it appears to be fixed!
  • fix: ensure the first user message always displays after the session info (#988)
    Previously, if the first user message was sent with the command
    invocation, e.g.:
    
    ```
    $ cargo run --bin codex 'hello'
    ```
    
    Then the user message was added as the first entry in the history and
    then `is_first_event` would be `false` here:
    
    
    https://github.com/openai/codex/blob/031df77dfb9248fe47b40ec52bf8b05052231722/codex-rs/tui/src/conversation_history_widget.rs#L178-L179
    
    which would prevent the "welcome" message with things like the the model
    version from displaying.
    
    The fix in this PR is twofold:
    
    * Reorganize the logic so the `ChatWidget` constructor stores
    `initial_user_message` rather than sending it right away. Now inside
    `handle_codex_event()`, it waits for the `SessionConfigured` event and
    sends the `initial_user_message`, if it exists.
    * In `conversation_history_widget.rs`, `add_session_info()` checks to
    see whether a `WelcomeMessage` exists in the history when determining
    the value of `has_welcome_message`. By construction, we expect that
    `WelcomeMessage` is always the first message (in which case the existing
    `let is_first_event = self.entries.is_empty();` logic would be sound),
    but we decide to be extra defensive in case an `EventMsg::Error` is
    processed before `EventMsg::SessionConfigured`.
  • Remove unnecessary console log from test (#970)
    When running `npm test` on `codex-cli`, the test
    `agent-cancel-prev-response.test.ts` logs a significant body of text to
    console for no obvious reason.
    
    This is not helpful, as it makes test logs messy and far longer.
    
    This change deletes the `console.log(...)` that produces the behavior.
  • bump(version): 0.1.2505161800 (#978)
    ## `0.1.2505161800`
    
    - Sign in with chatgpt credits (#974)
    - Add support for OpenAI tool type, local_shell (#961)
  • Fix CLA link in workflow (#964)
    ## Summary
    - fix the CLA link posted by the bot
    - docs suggest using an absolute URL:
    https://github.com/marketplace/actions/cla-assistant-lite
  • fix: make codex-mini-latest the default model in the Rust TUI (#972)
    It's time to make `codex-mini-latest` the new default, as this should be
    an "evergreen" model pointer.
    
    * Equivalent change in TypeScript
    https://github.com/openai/codex/pull/951
    * See some notes about using `codex-mini-latest` with MCP in
    https://github.com/openai/codex/pull/961
  • feat: make it possible to toggle mouse mode in the Rust TUI (#971)
    I did a bit of research to understand why I could not use my mouse to
    drag to select text to copy to the clipboard in iTerm.
    
    Apparently https://github.com/openai/codex/pull/641 to enable mousewheel
    scrolling broke this functionality. It seems that, unless we put in a
    bit of effort, we can have drag-to-select or scrolling, but not both.
    Though if you know the trick to hold down `Option` will dragging with
    the mouse in iTerm, you can probably get by with this. (I did not know
    about this option prior to researching this issue.)
    
    Nevertheless, users may still prefer to disable mouse capture
    altogether, so this PR introduces:
    
    * the ability to set `tui.disable_mouse_capture = true` in `config.toml`
    to disable mouse capture
    * a new command, `/toggle-mouse-mode` to toggle mouse capture
  • fix: use text other than 'TODO' as test example (#969)
    I casually `rg TODO` to look for TODOs, so the use of TODO in a sample
    string in test output was throwing things off.
  • feat: add support for OpenAI tool type, local_shell (#961)
    The new `codex-mini-latest` model expects a new tool with `{"type":
    "local_shell"}`. Its contract is similar to the existing `function` tool
    with `"name": "shell"`, so this takes the `local_shell` tool call into
    `ExecParams` and sends it through the existing
    `handle_container_exec_with_params()` code path.
    
    This also adds the following logic when adding the default set of tools
    to a request:
    
    ```rust
    let default_tools = if self.model.starts_with("codex") {
        &DEFAULT_CODEX_MODEL_TOOLS
    } else {
        &DEFAULT_TOOLS
    };
    ```
    
    That is, if the model name starts with `"codex"`, we add `{"type":
    "local_shell"}` to the list of tools; otherwise, we add the
    aforementioned `shell` tool.
    
    To test this, I ran the TUI with `-m codex-mini-latest` and verified
    that it used the `local_shell` tool. Though I also had some entries in
    `[mcp_servers]` in my personal `config.toml`. The `codex-mini-latest`
    model seemed eager to try the tools from the MCP servers first, so I
    have personally commented them out for now, so keep an eye out if you're
    testing `codex-mini-latest`!
    
    Perhaps we should include more details with `{"type": "local_shell"}` or
    update the following:
    
    
    https://github.com/openai/codex/blob/fd0b1b020818dfe8aaf7eb68425f09e86ab1b819/codex-rs/core/prompt.md
    
    For reference, the corresponding change in the TypeScript CLI is
    https://github.com/openai/codex/pull/951.
  • chore: refactor handle_function_call() into smaller functions (#965)
    Overall, `codex.rs` is still far too large, but at least there's less
    indenting now that things have been moved into smaller functions.
    
    This will also make it easier to introduce the `local_shell` tool in
    https://github.com/openai/codex/pull/961.
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/965).
    * #961
    * __->__ #965
  • fix: remove file named ">" in the codex-cli folder (#968)
    This file appears to have been accidentally added in
    https://github.com/openai/codex/pull/912. Its presence makes the repo
    impossible to clone on Windows.
  • bump(version): 0.1.2505161243 (#967)
    ## `0.1.2505161243`
    
    - Sign in with chatgpt (#963)
    - Session history viewer (#912)
    - Apply patch issue when using different cwd (#942)
    - Diff command for filenames with special characters (#954)
  • add: sign in with chatgpt (#963)
    Sign in with ChatGPT to get an API key (flow to grant API credits for Plus/Pro coming later today!)
  • add: session history viewer (#912)
    - A new “/sessions” command is available for browsing previous sessions,
    as shown in the updated slash command list
    
    - The CLI now documents and parses a new “--history” flag to browse past
    sessions from the command line
    
    - A dedicated `SessionsOverlay` component loads session metadata and
    allows toggling between viewing and resuming sessions
    
    - When the sessions overlay is opened during a chat, selecting a session
    can either show the saved rollout or resume it
  • feat: add support for file_opener option in Rust, similiar to #911 (#957)
    This ports the enhancement introduced in
    https://github.com/openai/codex/pull/911 (and the fixes in
    https://github.com/openai/codex/pull/919) for the TypeScript CLI to the
    Rust one.
  • fix: apply patch issue when using different cwd (#942)
    If you run a codex instance outside of the current working directory
    from where you launched the codex binary it won't be able to apply
    patches correctly, even if the sandbox policy allows it. This manifests
    weird behaviours, such as
    
    * Reading the same filename in the binary working directory, and
    overwriting it in the session working directory. e.g. if you have a
    `readme` in both folders it will overwrite the readme in the session
    working directory with the readme in the binary working directory
    *applied with the suggested patch*.
    * The LLM ends up in weird loops trying to verify and debug why the
    apply_patch won't work, and it can result in it applying patches by
    manually writing python or javascript if it figures out that either is
    supported by the system instead.
    
    I added a test-case to ensure that the patch contents are based on the
    cwd.
    
    ## Issue: mixing relative & absolute paths in apply_patch
    
    1. The apply_patch tool use relative paths based on the session working
    directory.
    2. `unified_diff_from_chunks` eventually ends up [reading the source
    file](https://github.com/reflectionai/codex/blob/main/codex-rs/apply-patch/src/lib.rs#L410)
    to figure out what the diff is, by using the relative path.
    3. The changes are targeted using an absolute path derived from the
    current working directory.
    
    The end-result in case session working directory differs from the binary
    working directory: we get the diff for a file relative to the binary
    working directory, and apply it on a file in the session working
    directory.
  • fix: diff command for filenames with special characters (#954)
    ## Summary
    - fix quoting issues in `/diff` to correctly handle files with special
    characters
    - add regression test for `getGitDiff` when filenames contain `$`
    - relax timeout in raw-exec-process-group test
    
    Fixes https://github.com/openai/codex/issues/943
    
    ## Testing
    - `pnpm test`
  • bump(version): 0.1.2505160811 codex-mini-latest (#953)
    ## `0.1.2505160811`
    
    - `codex-mini-latest` (#951)
  • chore: update exec crate to use std::time instead of chrono (#952)
    When I originally wrote `elapsed.rs`, I realized we were using both
    `std::time` and `chrono` with no real benefit of having both. We should
    try to keep the `exec` subcommand trim (as it also buildable as a
    standalone executable), so this helps tighten things up.
  • add: codex-mini-latest (#951)
    💽
    
    ---------
    
    Co-authored-by: Trevor Creech <tcreech@openai.com>
  • feat: record messages from user in ~/.codex/history.jsonl (#939)
    This is a large change to support a "history" feature like you would
    expect in a shell like Bash.
    
    History events are recorded in `$CODEX_HOME/history.jsonl`. Because it
    is a JSONL file, it is straightforward to append new entries (as opposed
    to the TypeScript file that uses `$CODEX_HOME/history.json`, so to be
    valid JSON, each new entry entails rewriting the entire file). Because
    it is possible for there to be multiple instances of Codex CLI writing
    to `history.jsonl` at once, we use advisory file locking when working
    with `history.jsonl` in `codex-rs/core/src/message_history.rs`.
    
    Because we believe history is a sufficiently useful feature, we enable
    it by default. Though to provide some safety, we set the file
    permissions of `history.jsonl` to be `o600` so that other users on the
    system cannot read the user's history. We do not yet support a default
    list of `SENSITIVE_PATTERNS` as the TypeScript CLI does:
    
    
    https://github.com/openai/codex/blob/3fdf9df1335ac9501e3fb0e61715359145711e8b/codex-cli/src/utils/storage/command-history.ts#L10-L17
    
    We are going to take a more conservative approach to this list in the
    Rust CLI. For example, while `/\b[A-Za-z0-9-_]{20,}\b/` might exclude
    sensitive information like API tokens, it would also exclude valuable
    information such as references to Git commits.
    
    As noted in the updated documentation, users can opt-out of history by
    adding the following to `config.toml`:
    
    ```toml
    [history]
    persistence = "none" 
    ```
    
    Because `history.jsonl` could, in theory, be quite large, we take a[n
    arguably overly pedantic] approach in reading history entries into
    memory. Specifically, we start by telling the client the current number
    of entries in the history file (`history_entry_count`) as well as the
    inode (`history_log_id`) of `history.jsonl` (see the new fields on
    `SessionConfiguredEvent`).
    
    The client is responsible for keeping new entries in memory to create a
    "local history," but if the user hits up enough times to go "past" the
    end of local history, then the client should use the new
    `GetHistoryEntryRequest` in the protocol to fetch older entries.
    Specifically, it should pass the `history_log_id` it was given
    originally and work backwards from `history_entry_count`. (It should
    really fetch history in batches rather than one-at-a-time, but that is
    something we can improve upon in subsequent PRs.)
    
    The motivation behind this crazy scheme is that it is designed to defend
    against:
    
    * The `history.jsonl` being truncated during the session such that the
    index into the history is no longer consistent with what had been read
    up to that point. We do not yet have logic to enforce a `max_bytes` for
    `history.jsonl`, but once we do, we will aspire to implement it in a way
    that should result in a new inode for the file on most systems.
    * New items from concurrent Codex CLI sessions amending to the history.
    Because, in absence of truncation, `history.jsonl` is an append-only
    log, so long as the client reads backwards from `history_entry_count`,
    it should always get a consistent view of history. (That said, it will
    not be able to read _new_ commands from concurrent sessions, but perhaps
    we will introduce a `/` command to reload latest history or something
    down the road.)
    
    Admittedly, my testing of this feature thus far has been fairly light. I
    expect we will find bugs and introduce enhancements/fixes going forward.
  • chore: introduce AppEventSender to help fix clippy warnings and update to Rust 1.87 (#948)
    Moving to Rust 1.87 introduced a clippy warning that
    `SendError<AppEvent>` was too large.
    
    In practice, the only thing we ever did when we got this error was log
    it (if the mspc channel is closed, then the app is likely shutting down
    or something, so there's not much to do...), so this finally motivated
    me to introduce `AppEventSender`, which wraps
    `std::sync::mpsc::Sender<AppEvent>` with a `send()` method that invokes
    `send()` on the underlying `Sender` and logs an `Err` if it gets one.
    
    This greatly simplifies the code, as many functions that previously
    returned `Result<(), SendError<AppEvent>>` now return `()`, so we don't
    have to propagate an `Err` all over the place that we don't really
    handle, anyway.
    
    This also makes it so we can upgrade to Rust 1.87 in CI.
  • chore: pin Rust version to 1.86 and use io::Error::other to prepare for 1.87 (#947)
    Previously, our GitHub actions specified the Rust toolchain as
    `dtolnay/rust-toolchain@stable`, which meant the version could change
    out from under us. In this case, the move from 1.86 to 1.87 introduced
    new clippy warnings, causing build failures.
    
    Because it will take a little time to fix all the new clippy warnings,
    this PR pins things to 1.86 for now to unbreak the build.
    
    It also replaces `io::Error::new(io::ErrorKind::Other)` with
    `io::Error::other()` in preparation for 1.87.
  • fix: properly wrap lines in the Rust TUI (#937)
    As discussed on
    https://github.com/openai/codex/commit/699ec5a87f09796d17c0202cd92a1dd4d8b4f3f5#commitcomment-156776835,
    to properly support scrolling long content in Ratatui for a sequence of
    cells, we need to:
    
    * take the `Vec<Line>` for each cell
    * using the wrapping logic we want to use at render time, compute the
    _effective line count_ using `Paragraph::line_count()` (see
    `wrapped_line_count_for_cell()` in this PR)
    * sum up the effective line count to compute the height of the area
    being scrolled
    * given a `scroll_position: usize`, index into the list of "effective
    lines" and accumulate the appropriate `Vec<Line>` for the cells that
    should be displayed
    * take that `Vec<Line>` to create a `Paragraph` and use the same
    line-wrapping policy that was used in `wrapped_line_count_for_cell()`
    * display the resulting `Paragraph` and use the accounting to display a
    scrollbar with the appropriate thumb size and offset without having to
    render the `Vec<Line>` for the full history
    
    With this change, lines wrap as I expect and everything appears to
    redraw correctly as I resize my terminal!
  • chore: handle all cases for EventMsg (#936)
    For now, this removes the `#[non_exhaustive]` directive on `EventMsg` so
    that we are forced to handle all `EventMsg` by default. (We may revisit
    this if/when we publish `core/` as a `lib` crate.) For now, it is
    helpful to have this as a forcing function because we have effectively
    two UIs (`tui` and `exec`) and usually when we add a new variant to
    `EventMsg`, we want to be sure that we update both.
  • feat: add mcp subcommand to CLI to run Codex as an MCP server (#934)
    Previously, running Codex as an MCP server required a standalone binary
    in our Cargo workspace, but this PR makes it available as a subcommand
    (`mcp`) of the main CLI.
    
    Ran this with:
    
    ```
    RUST_LOG=debug npx @modelcontextprotocol/inspector cargo run --bin codex -- mcp
    ```
    
    and verified it worked as expected in the inspector at
    `http://127.0.0.1:6274/`.
  • feat: add support for commands in the Rust TUI (#935)
    Introduces support for slash commands like in the TypeScript CLI. We do
    not support the full set of commands yet, but the core abstraction is
    there now.
    
    In particular, we have a `SlashCommand` enum and due to thoughtful use
    of the [strum](https://crates.io/crates/strum) crate, it requires
    minimal boilerplate to add a new command to the list.
    
    The key new piece of UI is `CommandPopup`, though the keyboard events
    are still handled by `ChatComposer`. The behavior is roughly as follows:
    
    * if the first character in the composer is `/`, the command popup is
    displayed (if you really want to send a message to Codex that starts
    with a `/`, simply put a space before the `/`)
    * while the popup is displayed, up/down can be used to change the
    selection of the popup
    * if there is a selection, hitting tab completes the command, but does
    not send it
    * if there is a selection, hitting enter sends the command
    * if the prefix of the composer matches a command, the command will be
    visible in the popup so the user can see the description (commands could
    take arguments, so additional text may appear after the command name
    itself)
    
    
    https://github.com/user-attachments/assets/39c3e6ee-eeb7-4ef7-a911-466d8184975f
    
    Incidentally, Codex wrote almost all the code for this PR!
  • chore: move each view used in BottomPane into its own file (#928)
    `BottomPane` was getting a bit unwieldy because it maintained a
    `PaneState` enum with three variants and many of its methods had `match`
    statements to handle each variant. To replace the enum, this PR:
    
    * Introduces a `trait BottomPaneView` that has two implementations:
    `StatusIndicatorView` and `ApprovalModalView`.
    * Migrates `PaneState::TextInput` into its own struct, `ChatComposer`,
    that does **not** implement `BottomPaneView`.
    * Updates `BottomPane` so it has `composer: ChatComposer` and
    `active_view: Option<Box<dyn BottomPaneView<'a> + 'a>>`. The idea is
    that `active_view` takes priority and is displayed when it is `Some`;
    otherwise, `ChatComposer` is displayed.
    * While methods of `BottomPane` often have to check whether
    `active_view` is present to decide which component to delegate to, the
    code is more straightforward than before and introducing new
    implementations of `BottomPaneView` should be less painful.
    
    Because we want to retain the `TextArea` owned by `ChatComposer` even
    when another view is displayed, to keep the ownership logic simple, it
    seemed best to keep `ChatComposer` distinct from `BottomPaneView`.
  • fix: increase timeout for test_dev_null_write (#933)
    After updating this test in https://github.com/openai/codex/pull/923, I
    have been getting some timeouts with this test in CI, so increasing the
    timeout to match that of `test_writable_root`:
    
    
    https://github.com/openai/codex/blob/327cf41f0ff7f0816a141a260704270ed38c9fa4/codex-rs/core/src/landlock.rs#L211-L213