Commit Graph

1978 Commits

  • Fix admin skills. (#8305)
    We were assembling the skill roots in two different places, and the
    admin root was missing in one of them. This change centralizes root
    selection into a helper so both paths stay in sync.
  • Support admin scope skills. (#8296)
    a new scope reads from /etc/codex
  • Fix tests (#8299)
    Fix broken tests.
  • UI tweaks on skills popup. (#8250)
    Only display the skill name (not the folder), and truncate the skill
    description to a maximum of two lines.
  • feat: collapse "waiting" of unified_exec (#8257)
    Screenshots here but check the snapshot files to see it better
    <img width="712" height="408" alt="Screenshot 2025-12-18 at 11 58 02"
    src="https://github.com/user-attachments/assets/84a2c410-0767-4870-84d1-ae1c0d4c445e"
    />
    <img width="523" height="352" alt="Screenshot 2025-12-18 at 11 17 41"
    src="https://github.com/user-attachments/assets/d029c7ea-0feb-4493-9dca-af43a0c70c52"
    />
  • feat: introduce ExternalSandbox policy (#8290)
    ## Description
    
    Introduced `ExternalSandbox` policy to cover use case when sandbox
    defined by outside environment, effectively it translates to
    `SandboxMode#DangerFullAccess` for file system (since sandbox configured
    on container level) and configurable `network_access` (either Restricted
    or Enabled by outside environment).
    
    as example you can configure `ExternalSandbox` policy as part of
    `sendUserTurn` v1 app_server API:
    
    ```
     {
                "conversationId": <id>,
                "cwd": <cwd>,
                "approvalPolicy": "never",
                "sandboxPolicy": {
                      "type": ""external-sandbox",
                      "network_access": "enabled"/"restricted"
                },
                "model": <model>,
                "effort": <effort>,
                ....
            }
    ```
  • chore: migrate from Config::load_from_base_config_with_overrides to ConfigBuilder (#8276)
    https://github.com/openai/codex/pull/8235 introduced `ConfigBuilder` and
    this PR updates all call non-test call sites to use it instead of
    `Config::load_from_base_config_with_overrides()`.
    
    This is important because `load_from_base_config_with_overrides()` uses
    an empty `ConfigRequirements`, which is a reasonable default for testing
    so the tests are not influenced by the settings on the host. This method
    is now guarded by `#[cfg(test)]` so it cannot be used by business logic.
    
    Because `ConfigBuilder::build()` is `async`, many of the test methods
    had to be migrated to be `async`, as well. On the bright side, this made
    it possible to eliminate a bunch of `block_on_future()` stuff.
  • fix: change codex/sandbox-state/update from a notification to a request (#8142)
    Historically, `accept_elicitation_for_prompt_rule()` was flaky because
    we were using a notification to update the sandbox followed by a `shell`
    tool request that we expected to be subject to the new sandbox config,
    but because [rmcp](https://crates.io/crates/rmcp) MCP servers delegate
    each incoming message to a new Tokio task, messages are not guaranteed
    to be processed in order, so sometimes the `shell` tool call would run
    before the notification was processed.
    
    Prior to this PR, we relied on a generous `sleep()` between the
    notification and the request to reduce the change of the test flaking
    out.
    
    This PR implements a proper fix, which is to use a _request_ instead of
    a notification for the sandbox update so that we can wait for the
    response to the sandbox request before sending the request to the
    `shell` tool call. Previously, `rmcp` did not support custom requests,
    but I fixed that in
    https://github.com/modelcontextprotocol/rust-sdk/pull/590, which made it
    into the `0.12.0` release (see #8288).
    
    This PR updates `shell-tool-mcp` to expect
    `"codex/sandbox-state/update"` as a _request_ instead of a notification
    and sends the appropriate ack. Note this behavior is tied to our custom
    `codex/sandbox-state` capability, which Codex honors as an MCP client,
    which is why `core/src/mcp_connection_manager.rs` had to be updated as
    part of this PR, as well.
    
    This PR also updates the docs at `shell-tool-mcp/README.md`.
  • Support skills shortDescription. (#8278)
    Allow SKILL.md to specify a more human-readable short description as
    skill metadata.
  • chore: upgrade rmcp crate from 0.10.0 to 0.12.0 (#8288)
    Version `0.12.0` includes
    https://github.com/modelcontextprotocol/rust-sdk/pull/590, which I will
    use in https://github.com/openai/codex/pull/8142.
    
    Changes:
    
    - `rmcp::model::CustomClientNotification` was renamed to
    `rmcp::model::CustomNotification`
    - a bunch of types have a `meta` field now, but it is `Option`, so I
    added `meta: None` to a bunch of things
  • model list (#8286)
    <img width="200" alt="7ff2254b-e96f-42fc-8232-b4e76cb26248"
    src="https://github.com/user-attachments/assets/1f56799d-e2cd-4b69-9290-854943f7c6b6"
    />
  • feat(app-server): add v2 deprecation notice (#8285)
    Add a v2 event for deprecation notices so we can get rid of
    `codex/event/deprecation_notice`.
  • feat: add support for /etc/codex/requirements.toml on UNIX (#8277)
    This implements the new config design where config _requirements_ are
    loaded separately (and with a special schema) as compared to config
    _settings_. In particular, on UNIX, with this PR, you could define
    `/etc/codex/requirements.toml` with:
    
    ```toml
    allowed_approval_policies = ["never", "on-request"]
    ```
    
    to enforce that `Config.approval_policy` must be one of those two values
    when Codex runs.
    
    We plan to expand the set of things that can be restricted by
    `/etc/codex/requirements.toml` in short order.
    
    Note that requirements can come from several sources:
    
    - new MDM key on macOS (not implemented yet)
    - `/etc/codex/requirements.toml`
    - re-interpretation of legacy MDM key on macOS
    (`com.openai.codex/config_toml_base64`)
    - re-interpretation of legacy `/etc/codex/managed_config.toml`
    
    So our resolution strategy is to load TOML data from those sources, in
    order. Later TOMLs are "merged" into previous TOMLs, but any field that
    is already set cannot be overwritten. See
    `ConfigRequirementsToml::merge_unset_fields()`.
  • feat: add /ps (#8279)
    See snapshots for view of edge cases
    This is still named `UnifiedExecSessions` for consistency across the
    code but should be renamed to `BackgroundTerminals` in a follow-up
    
    Example:
    <img width="945" height="687" alt="Screenshot 2025-12-18 at 20 12 53"
    src="https://github.com/user-attachments/assets/92f39ff2-243c-4006-b402-e3fa9e93c952"
    />
  • add a default dacl to restricted token to enable reading of pipes (#8280)
    this fixes sandbox errors (legacy and elevated) for commands that
    include pipes, which the model often favors.
  • Terminal Detection Metadata for Per-Terminal Scroll Scaling (#8252)
    # Terminal Detection Metadata for Per-Terminal Scroll Scaling
    
    ## Summary
    Expand terminal detection into structured metadata (`TerminalInfo`) with
    multiplexer awareness, plus a testable environment shim and
    characterization tests.
    
    ## Context / Motivation
    - TUI2 owns its viewport and scrolling model (see
    `codex-rs/tui2/docs/tui_viewport_and_history.md`), so scroll behavior
    must be consistent across terminals and independent of terminal
    scrollback quirks.
    - Prior investigations show mouse wheel scroll deltas vary noticeably by
    terminal. To tune scroll scaling (line increments per wheel tick) we
    need reliable terminal identification, including when running inside
    tmux/zellij.
    - tmux is especially tricky because it can mask the underlying terminal;
    we now consult `tmux display-message` client termtype/name to attribute
    sessions to the actual terminal rather than tmux itself.
    - This remains backwards compatible with the existing OpenTelemetry
    user-agent token because `user_agent()` is still derived from the same
    environment signals (now via `TerminalInfo`).
    
    ## Changes
    - Introduce `TerminalInfo`, `TerminalName`, and `Multiplexer` with
    `TERM_PROGRAM`/`TERM`/multiplexer detection and user-agent formatting in
    `codex-rs/core/src/terminal.rs`.
    - Add an injectable `Environment` trait + `FakeEnvironment` for testing,
    and comprehensive characterization tests covering known terminals, tmux
    client termtype/name, and zellij.
    - Document module usage and detection order; update `terminal_info()` to
    be the primary interface for callers.
    
    ## Testing
    - `cargo test -p codex-core terminal::tests`
    - manually checked ghostty, iTerm2, Terminal.app, vscode, tmux, zellij,
    Warp, alacritty, kitty.
    ```
    2025-12-18T07:07:49.191421Z  INFO Detected terminal info terminal=TerminalInfo { name: Iterm2, term_program: Some("iTerm.app"), version: Some("3.6.6"), term: None, multiplexer: None }
    2025-12-18T07:07:57.991776Z  INFO Detected terminal info terminal=TerminalInfo { name: AppleTerminal, term_program: Some("Apple_Terminal"), version: Some("455.1"), term: None, multiplexer: None }
    2025-12-18T07:08:07.732095Z  INFO Detected terminal info terminal=TerminalInfo { name: WarpTerminal, term_program: Some("WarpTerminal"), version: Some("v0.2025.12.10.08.12.stable_03"), term: None, multiplexer: None }
    2025-12-18T07:08:24.860316Z  INFO Detected terminal info terminal=TerminalInfo { name: Kitty, term_program: None, version: None, term: None, multiplexer: None }
    2025-12-18T07:08:38.302761Z  INFO Detected terminal info terminal=TerminalInfo { name: Alacritty, term_program: None, version: None, term: None, multiplexer: None }
    2025-12-18T07:08:50.887748Z  INFO Detected terminal info terminal=TerminalInfo { name: VsCode, term_program: Some("vscode"), version: Some("1.107.1"), term: None, multiplexer: None }
    2025-12-18T07:10:01.309802Z  INFO Detected terminal info terminal=TerminalInfo { name: WezTerm, term_program: Some("WezTerm"), version: Some("20240203-110809-5046fc22"), term: None, multiplexer: None }
    2025-12-18T08:05:17.009271Z  INFO Detected terminal info terminal=TerminalInfo { name: Ghostty, term_program: Some("ghostty"), version: Some("1.2.3"), term: None, multiplexer: None }
    2025-12-18T08:05:23.819973Z  INFO Detected terminal info terminal=TerminalInfo { name: Ghostty, term_program: Some("ghostty"), version: Some("1.2.3"), term: Some("xterm-ghostty"), multiplexer: Some(Tmux { version: Some("3.6a") }) }
    2025-12-18T08:05:35.572853Z  INFO Detected terminal info terminal=TerminalInfo { name: Ghostty, term_program: Some("ghostty"), version: Some("1.2.3"), term: None, multiplexer: Some(Zellij) }
    ```
    
    ## Notes / Follow-ups
    - Next step is to wire `TerminalInfo` into TUI2’s scroll scaling
    configuration and add a per-terminal tuning table.
    - The log output in TUI2 helps validate real-world detection before
    applying behavior changes.
  • grant read ACL to exe directory first so we can call the command runner (#8275)
    when granting read access to the sandbox user, grant the
    codex/command-runner exe directory first so commands can run before the
    entire read ACL process is finished.
  • tui: improve rendering of search cell (#8273)
    before:
    
    <img width="795" height="150" alt="Screenshot 2025-12-18 at 10 48 01 AM"
    src="https://github.com/user-attachments/assets/6f4d8856-b4c2-4e2a-b60a-b86f82b956a0"
    />
    
    after:
    
    <img width="795" height="150" alt="Screenshot 2025-12-18 at 10 48 39 AM"
    src="https://github.com/user-attachments/assets/dd0d167a-5d09-4bb7-9d36-95a2eb1aaa83"
    />
  • splash screen (#8270)
    # External (non-OpenAI) Pull Request Requirements
    
    Before opening this Pull Request, please read the dedicated
    "Contributing" markdown file or your PR may be closed:
    https://github.com/openai/codex/blob/main/docs/contributing.md
    
    If your PR conforms to our contribution guidelines, replace this text
    with a detailed and high quality description of your changes.
    
    Include a link to a bug report or enhancement request.
  • feat: migrate to new constraint-based loading strategy (#8251)
    This is a significant change to how layers of configuration are applied.
    In particular, the `ConfigLayerStack` now has two important fields:
    
    - `layers: Vec<ConfigLayerEntry>`
    - `requirements: ConfigRequirements`
    
    We merge `TomlValue`s across the layers, but they are subject to
    `ConfigRequirements` before creating a `Config`.
    
    How I would review this PR:
    
    - start with `codex-rs/app-server-protocol/src/protocol/v2.rs` and note
    the new variants added to the `ConfigLayerSource` enum:
    `LegacyManagedConfigTomlFromFile` and `LegacyManagedConfigTomlFromMdm`
    - note that `ConfigLayerSource` now has a `precedence()` method and
    implements `PartialOrd`
    - `codex-rs/core/src/config_loader/layer_io.rs` is responsible for
    loading "admin" preferences from `/etc/codex/managed_config.toml` and
    MDM. Because `/etc/codex/managed_config.toml` is now deprecated in favor
    of `/etc/codex/requirements.toml` and `/etc/codex/config.toml`, we now
    include some extra information on the `LoadedConfigLayers` returned in
    `layer_io.rs`.
    - `codex-rs/core/src/config_loader/mod.rs` has major changes to
    `load_config_layers_state()`, which is what produces `ConfigLayerStack`.
    The docstring has the new specification and describes the various layers
    that will be loaded and the precedence order.
    - It uses the information from `LoaderOverrides` "twice," both in the
    spirit of legacy support:
    - We use one instances to derive an instance of `ConfigRequirements`.
    Currently, the only field in `managed_config.toml` that contributes to
    `ConfigRequirements` is `approval_policy`. This PR introduces
    `Constrained::allow_only()` to support this.
    - We use a clone of `LoaderOverrides` to derive
    `ConfigLayerSource::LegacyManagedConfigTomlFromFile` and
    `ConfigLayerSource::LegacyManagedConfigTomlFromMdm` layers, as
    appropriate. As before, this ends up being a "best effort" at enterprise
    controls, but is enforcement is not guaranteed like it is for
    `ConfigRequirements`.
    - Now we only create a "user" layer if `$CODEX_HOME/config.toml` exists.
    (Previously, a user layer was always created for `ConfigLayerStack`.)
    - Similarly, we only add a "session flags" layer if there are CLI
    overrides.
    - `config_loader/state.rs` contains the updated implementation for
    `ConfigLayerStack`. Note the public API is largely the same as before,
    but the implementation is quite different. We leverage the fact that
    `ConfigLayerSource` is now `PartialOrd` to ensure layers are in the
    correct order.
    - A `Config` constructed via `ConfigBuilder.build()` will use
    `load_config_layers_state()` to create the `ConfigLayerStack` and use
    the associated `ConfigRequirements` when constructing the `Config`
    object.
    - That said, a `Config` constructed via
    `Config::load_from_base_config_with_overrides()` does _not_ yet use
    `ConfigBuilder`, so it creates a `ConfigRequirements::default()` instead
    of loading a proper `ConfigRequirements`. I will fix this in a
    subsequent PR.
    
    Then the following files are mostly test changes:
    
    ```
    codex-rs/app-server/tests/suite/v2/config_rpc.rs
    codex-rs/core/src/config/service.rs
    codex-rs/core/src/config_loader/tests.rs
    ```
    
    Again, because we do not always include "user" and "session flags"
    layers when the contents are empty, `ConfigLayerStack` sometimes has
    fewer layers than before (and the precedence order changed slightly),
    which is the main reason integration tests changed.
  • cloud: default to current branch in cloud exec (#7460)
    ## Summary
    - add a shared git-ref resolver and use it for `codex cloud exec` and
    TUI task submission
    - expose a new `--branch` flag to override the git ref passed to cloud
    tasks
    - cover the git-ref resolution behavior with new async unit tests and
    supporting dev dependencies
    
    ## Testing
    - cargo test -p codex-cloud-tasks
    
    
    ------
    [Codex
    Task](https://chatgpt.com/codex/tasks/task_i_692decc6cbec8332953470ef063e11ab)
    
    ---------
    
    Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
    Co-authored-by: Jeremy Rose <172423086+nornagon-openai@users.noreply.github.com>
    Co-authored-by: Jeremy Rose <nornagon@openai.com>
  • feat: add name to beta features (#8266)
    Add a name to Beta features
    
    <img width="906" height="153" alt="Screenshot 2025-12-18 at 16 42 49"
    src="https://github.com/user-attachments/assets/d56f3519-0613-4d9a-ad4d-38b1a7eb125a"
    />
  • caribou (#8265)
    Welcome caribou
    
    <img width="1536" height="1024" alt="image"
    src="https://github.com/user-attachments/assets/2a67b21f-40cf-4518-aee4-691af331ab50"
    />
  • chore: prefer AsRef<Path> to &Path (#8249)
    This is some minor API cleanup that will make it easier to use
    `AbsolutePathBuf` in more places in a subsequent PR.
  • chores: clean picker (#8232)
    # External (non-OpenAI) Pull Request Requirements
    
    Before opening this Pull Request, please read the dedicated
    "Contributing" markdown file or your PR may be closed:
    https://github.com/openai/codex/blob/main/docs/contributing.md
    
    If your PR conforms to our contribution guidelines, replace this text
    with a detailed and high quality description of your changes.
    
    Include a link to a bug report or enhancement request.
  • chore: simplify loading of Mac-specific logic in config_loader (#8248)
    Over in `config_loader/macos.rs`, we were doing this complicated `mod`
    thing to expose one version of `load_managed_admin_config_layer()` for
    Mac:
    
    
    https://github.com/openai/codex/blob/580c59aa9af61cb4bffb5b204bd16a5dcc4bc911/codex-rs/core/src/config_loader/macos.rs#L4-L5
    
    While exposing a trivial implementation for non-Mac:
    
    
    https://github.com/openai/codex/blob/580c59aa9af61cb4bffb5b204bd16a5dcc4bc911/codex-rs/core/src/config_loader/macos.rs#L110-L117
    
    That was being used like this:
    
    
    https://github.com/openai/codex/blob/580c59aa9af61cb4bffb5b204bd16a5dcc4bc911/codex-rs/core/src/config_loader/layer_io.rs#L47-L48
    
    This PR simplifies that callsite in `layer_io.rs` to just be:
    
    ```rust
        #[cfg(not(target_os = "macos"))]
        let managed_preferences = None;
    ```
    
    And updates `config_loader/mod.rs` so we only pull in `macos.rs` on Mac:
    
    ```rust
    #[cfg(target_os = "macos")]
    mod macos;
    ```
    
    This simplifies `macos.rs` considerably, though it looks like a big
    change because everything gets unindented and reformatted because we can
    drop the whole `mod native` thing now.
    
    
    
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/8248).
    * #8251
    * #8249
    * __->__ #8248
  • Reintroduce feature flags for skills. (#8244)
    1. Reintroduce feature flags for skills;
    2. UI tweaks (truncate descriptions, better validation error display).
  • Change "Team" to "Buisness" and add Education (#8221)
    This pull request updates the ChatGPT login description in the
    onboarding authentication widgets to clarify which plans include usage.
    The description now lists "Business" rather than "Team" and adds
    "Education" plans in addition to the previously mentioned plans.
    
    I have read the CLA Document and I hereby sign the CLAs.
    
    ---------
    
    Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
  • fix: introduce ConfigBuilder (#8235)
    Introduce `ConfigBuilder` as an alternative to our existing `Config`
    constructors.
    
    I noticed that the existing constructors,
    `Config::load_with_cli_overrides()` and
    `Config::load_with_cli_overrides_and_harness_overrides()`, did not take
    `codex_home` as a parameter, which can be a problem.
    
    Historically, when Codex was purely a CLI, we wanted to be extra sure
    that the creation of `codex_home` was always done via
    `find_codex_home()`, so we did not expose `codex_home` as a parameter
    when creating `Config` in business logic. But in integration tests,
    `codex_home` nearly always needs to be configured (as a temp directory),
    which is why callers would have to go through
    `Config::load_from_base_config_with_overrides()` instead.
    
    Now that the Codex harness also functions as an app server, which could
    conceivably load multiple threads where `codex_home` is parameterized
    differently in each one, I think it makes sense to make this
    configurable. Going to a builder pattern makes it more flexible to
    ensure an arbitrary permutation of options can be set when constructing
    a `Config` while using the appropriate defaults for the options that
    aren't set explicitly.
    
    Ultimately, I think this should make it possible for us to make
    `Config::load_from_base_config_with_overrides()` private because all
    integration tests should be able to leverage `ConfigBuilder` instead.
    Though there could be edge cases, so I'll pursue that migration after we
    get through the current config overhaul.
    
    
    
    
    
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/8235).
    * #8237
    * __->__ #8235
  • Make loading malformed skills fail-open (#8243)
    Instead of failing to start Codex, clearly call out that N skills did
    not load and provide warnings so that the user may fix them.
    
    <img width="3548" height="874" alt="image"
    src="https://github.com/user-attachments/assets/6ce041b2-1373-4007-a6dd-0194e58fafe4"
    />
  • Support SYSTEM skills. (#8220)
    1. Remove PUBLIC skills and introduce SYSTEM skills embedded in the
    binary and installed into $CODEX_HOME/skills/.system at startup.
    2. Skills are now always enabled (feature flag removed).
    3. Update skills/list to accept forceReload and plumb it through (not
    used by clients yet).
  • Show migration link (#8228)
    # External (non-OpenAI) Pull Request Requirements
    
    Before opening this Pull Request, please read the dedicated
    "Contributing" markdown file or your PR may be closed:
    https://github.com/openai/codex/blob/main/docs/contributing.md
    
    If your PR conforms to our contribution guidelines, replace this text
    with a detailed and high quality description of your changes.
    
    Include a link to a bug report or enhancement request.
  • chore: cleanup Config instantiation codepaths (#8226)
    This PR does various types of cleanup before I can proceed with more
    ambitious changes to config loading.
    
    First, I noticed duplicated code across these two methods:
    
    
    https://github.com/openai/codex/blob/774bd9e432fa2e0f4e059e97648cf92216912e19/codex-rs/core/src/config/mod.rs#L314-L324
    
    
    https://github.com/openai/codex/blob/774bd9e432fa2e0f4e059e97648cf92216912e19/codex-rs/core/src/config/mod.rs#L334-L344
    
    This has now been consolidated in
    `load_config_as_toml_with_cli_overrides()`.
    
    Further, I noticed that `Config::load_with_cli_overrides()` took two
    similar arguments:
    
    
    https://github.com/openai/codex/blob/774bd9e432fa2e0f4e059e97648cf92216912e19/codex-rs/core/src/config/mod.rs#L308-L311
    
    The difference between `cli_overrides` and `overrides` was not
    immediately obvious to me. At first glance, it appears that one should
    be able to be expressed in terms of the other, but it turns out that
    some fields of `ConfigOverrides` (such as `cwd` and
    `codex_linux_sandbox_exe`) are, by design, not configurable via a
    `.toml` file or a command-line `--config` flag.
    
    That said, I discovered that many callers of
    `Config::load_with_cli_overrides()` were passing
    `ConfigOverrides::default()` for `overrides`, so I created two separate
    methods:
    
    - `Config::load_with_cli_overrides(cli_overrides: Vec<(String,
    TomlValue)>)`
    - `Config::load_with_cli_overrides_and_harness_overrides(cli_overrides:
    Vec<(String, TomlValue)>, harness_overrides: ConfigOverrides)`
    
    The latter has a long name, as it is _not_ what should be used in the
    common case, so the extra typing is designed to draw attention to this
    fact. I tried to update the existing callsites to use the shorter name,
    where possible.
    
    Further, in the cases where `ConfigOverrides` is used, usually only a
    limited subset of fields are actually set, so I updated the declarations
    to leverage `..Default::default()` where possible.
  • feat: model picker (#8209)
    # External (non-OpenAI) Pull Request Requirements
    
    Before opening this Pull Request, please read the dedicated
    "Contributing" markdown file or your PR may be closed:
    https://github.com/openai/codex/blob/main/docs/contributing.md
    
    If your PR conforms to our contribution guidelines, replace this text
    with a detailed and high quality description of your changes.
    
    Include a link to a bug report or enhancement request.
  • speed and reliability improvements for setting reads ACLs (#8216)
    - Batch read ACL creation for online/offline sandbox user
    - creates a new ACL helper process that is long-lived and runs in the
    background
    - uses a mutex so that only one helper process is running at a time.
  • Load models from static file (#8153)
    - Load models from static file as a fallback
    - Make API users use this file directly
    - Add tests to make sure updates to the file always serialize
  • feat: make list_models non-blocking (#8198)
    ### Summary
    * Make `app_server.list_models` to be non-blocking and consumers (i.e.
    extension) can manage the flow themselves.
    * Force config to use remote models and therefore fetch codex-auto model
    list.
  • fix: PathBuf -> AbsolutePathBuf in ConfigToml struct (#8205)
    We should not have any `PathBuf` fields in `ConfigToml` or any of the
    transitive structs we include, as we should use `AbsolutePathBuf`
    instead so that we do not have to keep track of the file from which
    `ConfigToml` was loaded such that we need it to resolve relative paths
    later when the values of `ConfigToml` are used.
    
    I only found two instances of this: `experimental_instructions_file` and
    `experimental_compact_prompt_file`. Incidentally, when these were
    specified as relative paths, they were resolved against `cwd` rather
    than `config.toml`'s parent, which seems wrong to me. I changed the
    behavior so they are resolved against the parent folder of the
    `config.toml` being parsed, which we get "for free" due to the
    introduction of `AbsolutePathBufGuard ` in
    https://github.com/openai/codex/pull/7796.
    
    While it is not great to change the behavior of a released feature,
    these fields are prefixed with `experimental_`, which I interpret to
    mean we have the liberty to change the contract.
    
    For reference:
    
    - `experimental_instructions_file` was introduced in
    https://github.com/openai/codex/pull/1803
    - `experimental_compact_prompt_file` was introduced in
    https://github.com/openai/codex/pull/5959
  • fix: session downgrade (#8196)
    The problem is that the `tokio` task own an `Arc` reference of the
    session and that this task only exit with the broadcast channel get
    closed. But this never get closed if the session is not dropped. So it's
    a snake biting his tail basically
    
    The most notable result was that non of the `Drop` implementation were
    triggered (temporary files, shell snapshots, session cleaning etc etc)
    when closing the session (through a `/new` for example)
    
    The fix is just to weaken the `Arc` and upgrade it on the fly
  • chore: update listMcpServerStatus to be non-blocking (#8151)
    ### Summary
    * Update `listMcpServerStatus` to be non-blocking by wrapping it with
    tokio:spawn.