Commit Graph

31 Commits

  • fix: prevent fmt from updating Python SDK lockfile (#22505)
    ## Why
    
    `just fmt` should align source formatting without resolving dependencies
    or rewriting lockfiles. The Python SDK formatting steps run through
    `uv`, so differing local `uv` versions could decide the SDK lock was
    stale and mutate `sdk/python/uv.lock` before Ruff ran.
    
    ## What
    
    - Add `--frozen` to both Python SDK `uv run ... ruff` commands in the
    root `fmt` recipe.
    - Update the existing Python SDK artifact workflow guard test so future
    changes keep the formatter recipe non-lock-mutating.
    
    ## Verification
    
    - `uv run --frozen --project ../sdk/python --extra dev pytest
    ../sdk/python/tests/test_artifact_workflow_and_binaries.py -q`
  • fix: uv lock (#22323)
    Update the lock of UV
  • [8/8] Add Python SDK Ruff formatting (#22021)
    ## Why
    
    The Python SDK needs the same tight formatter/lint loop as the rest of
    the repo: a safe Ruff autofix pass, Ruff formatting, editor save
    behavior, and CI checks that catch drift. Without that loop, SDK changes
    can land with formatting or import ordering that differs from what
    reviewers and CI expect.
    
    ## What
    
    - Add Ruff configuration to `sdk/python/pyproject.toml`, excluding
    generated protocol code and notebooks from the normal lint/format pass.
    - Update `just fmt` so it still formats Rust and also runs Python SDK
    Ruff autofix and formatting.
    - Add Python SDK CI steps for `ruff check` and `ruff format --check`
    before pytest.
    - Recommend the Ruff VS Code extension and enable Python
    format/fix/organize-on-save so Cmd+S uses the same tooling.
    - Apply the resulting Ruff formatting to SDK Python files, examples, and
    the checked-in generated `v2_all.py` output emitted by the pinned
    generator.
    - Add a guard test for the `just fmt` recipe so it keeps working from
    both Rust and Python SDK working directories.
    
    ## Stack
    
    1. #21891 `[1/8]` Pin Python SDK runtime dependency
    2. #21893 `[2/8]` Generate Python SDK types from pinned runtime
    3. #21895 `[3/8]` Run Python SDK tests in CI
    4. #21896 `[4/8]` Define Python SDK public API surface
    5. #21905 `[5/8]` Rename Python SDK package to `openai-codex`
    6. #21910 `[6/8]` Add high-level Python SDK approval mode
    7. #22014 `[7/8]` Add Python SDK app-server integration harness
    8. This PR `[8/8]` Add Python SDK Ruff formatting
    
    ## Verification
    
    - Added `test_root_fmt_recipe_formats_rust_and_python_sdk` for the
    shared format recipe.
    - Ran `just fmt` after the recipe update.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • [7/8] Add Python SDK app-server integration harness (#22014)
    ## Why
    
    The SDK had behavioral tests that replaced SDK client internals. Those
    tests could catch wrapper mistakes, but they did not prove the pinned
    app-server runtime, generated notification models, request routing, and
    sync/async public clients worked together.
    
    This PR adds deterministic integration coverage that starts the pinned
    `codex app-server` process and mocks only the upstream Responses HTTP
    boundary.
    
    ## What
    
    - Add `AppServerHarness` and `MockResponsesServer` helpers for isolated
    `CODEX_HOME`, mock-provider config, queued SSE responses, and captured
    `/v1/responses` requests.
    - Add shared helpers for SSE construction, stream assertions,
    approval-policy inspection, and image fixtures.
    - Split integration coverage into focused modules for run behavior,
    inputs, streaming, turn controls, approvals, and thread lifecycle.
    - Cover sync and async `Thread.run`, `TurnHandle.stream`, interleaved
    streams, approval-mode persistence, lifecycle helpers, final-answer
    phase handling, image inputs, loaded skill input injection, steering,
    interruption, listing, history reads, run overrides, and token usage
    mapping.
    - Replace public-wrapper tests that duplicated integration-test behavior
    with lower-level client tests only where direct client behavior is the
    thing under test.
    
    ## Stack
    
    1. #21891 `[1/8]` Pin Python SDK runtime dependency
    2. #21893 `[2/8]` Generate Python SDK types from pinned runtime
    3. #21895 `[3/8]` Run Python SDK tests in CI
    4. #21896 `[4/8]` Define Python SDK public API surface
    5. #21905 `[5/8]` Rename Python SDK package to `openai-codex`
    6. #21910 `[6/8]` Add high-level Python SDK approval mode
    7. This PR `[7/8]` Add Python SDK app-server integration harness
    8. #22021 `[8/8]` Add Python SDK Ruff formatting
    
    ## Verification
    
    - Added pinned app-server integration tests under
    `sdk/python/tests/test_app_server_*.py` and
    `test_real_app_server_integration.py`.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • [6/8] Add high-level Python SDK approval mode (#21910)
    ## Why
    
    The high-level SDK should expose the approval behavior it actually
    supports instead of leaking generated app-server routing fields. New
    work should have two clear choices: default auto review, or explicitly
    deny escalated permission requests. Existing threads and subsequent
    turns should preserve their current approval behavior unless the caller
    passes an override.
    
    ## What
    
    - Add the public `ApprovalMode` enum with `auto_review` and `deny_all`.
    - Default new thread creation to `ApprovalMode.auto_review`.
    - Preserve existing approval settings by default for resume, fork, run,
    and turn helpers.
    - Remove raw `approval_policy` / `approvals_reviewer` kwargs from
    high-level SDK wrappers.
    - Update generated wrapper output, docs, examples, notebooks, and tests
    for the high-level approval mode API.
    
    ## Stack
    
    1. #21891 `[1/8]` Pin Python SDK runtime dependency
    2. #21893 `[2/8]` Generate Python SDK types from pinned runtime
    3. #21895 `[3/8]` Run Python SDK tests in CI
    4. #21896 `[4/8]` Define Python SDK public API surface
    5. #21905 `[5/8]` Rename Python SDK package to `openai-codex`
    6. This PR `[6/8]` Add high-level Python SDK approval mode
    7. #22014 `[7/8]` Add Python SDK app-server integration harness
    8. #22021 `[8/8]` Add Python SDK Ruff formatting
    
    ## Verification
    
    - Added approval-mode mapping/default tests for new threads, existing
    threads, forks, resumes, and subsequent turns.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • [5/8] Rename Python SDK package to openai-codex (#21905)
    ## Why
    
    The SDK should publish under the reserved public distribution name
    `openai-codex`, and its import module should match that name in the
    Python style. Since package names can contain hyphens but import modules
    cannot, the public import path becomes `openai_codex`.
    
    Keeping the rename separate from the public API surface change makes the
    naming change easy to review and avoids mixing it with API curation.
    
    ## What
    
    - Rename the SDK distribution from `openai-codex-app-server-sdk` to
    `openai-codex`.
    - Rename the import package from `codex_app_server` to `openai_codex`.
    - Keep the runtime wheel as the separate `openai-codex-cli-bin`
    dependency.
    - Update docs, examples, notebooks, artifact scripts, lockfile metadata,
    and tests for the new distribution/module names.
    
    ## Stack
    
    1. #21891 `[1/8]` Pin Python SDK runtime dependency
    2. #21893 `[2/8]` Generate Python SDK types from pinned runtime
    3. #21895 `[3/8]` Run Python SDK tests in CI
    4. #21896 `[4/8]` Define Python SDK public API surface
    5. This PR `[5/8]` Rename Python SDK package to `openai-codex`
    6. #21910 `[6/8]` Add high-level Python SDK approval mode
    7. #22014 `[7/8]` Add Python SDK app-server integration harness
    8. #22021 `[8/8]` Add Python SDK Ruff formatting
    
    ## Verification
    
    - Updated package metadata and public API tests to assert the
    distribution and import names.
    
    Co-authored-by: Codex <noreply@openai.com>
  • [4/8] Define Python SDK public API surface (#21896)
    ## Why
    
    The SDK package root should be the ergonomic public client API, not a
    dump of every generated app-server schema type. Generated models still
    need a supported import path, but callers should be able to tell which
    names are high-level SDK entrypoints and which names are protocol value
    models.
    
    ## What
    
    - Define a curated root `__all__` for clients, handles, input helpers,
    retry helpers, config, and public errors.
    - Add a `types` module as the supported home for generated app-server
    response, event, enum, and helper models.
    - Update docs and examples to import protocol/value models from the type
    module.
    - Add tests that lock root exports, type-module exports, star-import
    behavior, and example import hygiene.
    
    ## Stack
    
    1. #21891 `[1/8]` Pin Python SDK runtime dependency
    2. #21893 `[2/8]` Generate Python SDK types from pinned runtime
    3. #21895 `[3/8]` Run Python SDK tests in CI
    4. This PR `[4/8]` Define Python SDK public API surface
    5. #21905 `[5/8]` Rename Python SDK package to `openai-codex`
    6. #21910 `[6/8]` Add high-level Python SDK approval mode
    7. #22014 `[7/8]` Add Python SDK app-server integration harness
    8. #22021 `[8/8]` Add Python SDK Ruff formatting
    
    ## Verification
    
    - Added public API signature tests for root exports, `types` exports,
    and example imports.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • [2/8] Generate Python SDK types from pinned runtime (#21893)
    ## Why
    
    Once the SDK declares its runtime package, generated Python artifacts
    should come from that pinned runtime rather than whatever app-server
    schema happens to be in the current checkout. That keeps the generated
    API and model surface aligned with the runtime users install.
    
    ## What
    
    - Teach `scripts/update_sdk_artifacts.py generate-types` to invoke the
    pinned runtime package for schema generation.
    - Regenerate `v2_all.py`, `notification_registry.py`, and generated
    public wrapper methods from that schema.
    - Add freshness coverage so regenerating from the pinned runtime must
    leave checked-in artifacts unchanged.
    
    ## Stack
    
    1. #21891 `[1/8]` Pin Python SDK runtime dependency
    2. This PR `[2/8]` Generate Python SDK types from pinned runtime
    3. #21895 `[3/8]` Run Python SDK tests in CI
    4. #21896 `[4/8]` Define Python SDK public API surface
    5. #21905 `[5/8]` Rename Python SDK package to `openai-codex`
    6. #21910 `[6/8]` Add high-level Python SDK approval mode
    7. #22014 `[7/8]` Add Python SDK app-server integration harness
    8. #22021 `[8/8]` Add Python SDK Ruff formatting
    
    ## Verification
    
    - Added `test_generated_files_are_up_to_date` for pinned-runtime
    generation drift.
    - Added generator-structure tests for schema annotation and notification
    metadata generation.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • [1/8] Pin Python SDK runtime dependency (#21891)
    ## Why
    
    The Python SDK depends on the app-server runtime package for the bundled
    `codex` binary and schema source of truth. That relationship should be
    explicit in package metadata instead of inferred from matching version
    numbers, so installers, lockfiles, and reviewers can see exactly which
    runtime the SDK expects.
    
    ## What
    
    - Declare `openai-codex-cli-bin==0.131.0a4` as a Python SDK dependency.
    - Update runtime setup helpers to resolve the runtime version from the
    declared dependency pin.
    - Refresh the SDK lockfile for the pinned runtime wheel.
    - Update package/runtime tests and docs that describe where the runtime
    version comes from.
    
    ## Stack
    
    1. This PR `[1/8]` Pin Python SDK runtime dependency
    2. #21893 `[2/8]` Generate Python SDK types from pinned runtime
    3. #21895 `[3/8]` Run Python SDK tests in CI
    4. #21896 `[4/8]` Define Python SDK public API surface
    5. #21905 `[5/8]` Rename Python SDK package to `openai-codex`
    6. #21910 `[6/8]` Add high-level Python SDK approval mode
    7. #22014 `[7/8]` Add Python SDK app-server integration harness
    8. #22021 `[8/8]` Add Python SDK Ruff formatting
    
    ## Verification
    
    - Added coverage for the SDK runtime dependency pin and runtime
    distribution naming.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Route Python SDK turn notifications by ID (#21778)
    ## Why
    
    The Python SDK previously protected the stdio transport with a single
    active turn-consumer guard. That avoided competing reads from stdout,
    but it also meant one `Codex`/`AsyncCodex` client could not stream
    multiple active turns at the same time. Notifications could also arrive
    before the caller received a `TurnHandle` and registered for streaming,
    so the SDK needed an explicit routing layer instead of letting
    individual API calls read directly from the shared transport.
    
    ## What Changed
    
    - Added a private `MessageRouter` that owns per-request response queues,
    per-turn notification queues, pending turn-notification replay, and
    global notification delivery behind a single stdout reader thread.
    - Generated typed notification routing metadata so turn IDs come from
    known payload shapes instead of router-side attribute guessing, with
    explicit fallback handling for unknown notification payloads.
    - Updated sync and async turn streaming so `TurnHandle.stream()`/`run()`
    and `stream_text()` consume only notifications for their own turn ID,
    while `AsyncAppServerClient` no longer serializes all transport calls
    behind one async lock.
    - Cleared pending turn-notification buffers when unregistered turns
    complete so never-consumed turn handles do not leave stale queues
    behind.
    - Removed the internal stream-until helper now that turn completion
    waiting can register directly with routed turn notifications.
    - Updated Python SDK docs and focused tests for concurrent transport
    calls, interleaved turn routing, buffered early notifications, unknown
    notification routing, async delegation, and routed turn completion
    behavior.
    
    ## Validation
    
    - `uv run --extra dev ruff format scripts/update_sdk_artifacts.py
    src/codex_app_server/_message_router.py src/codex_app_server/client.py
    src/codex_app_server/generated/notification_registry.py
    tests/test_client_rpc_methods.py
    tests/test_public_api_runtime_behavior.py
    tests/test_async_client_behavior.py`
    - `uv run --extra dev ruff check scripts/update_sdk_artifacts.py
    src/codex_app_server/_message_router.py src/codex_app_server/client.py
    src/codex_app_server/generated/notification_registry.py
    tests/test_client_rpc_methods.py
    tests/test_public_api_runtime_behavior.py
    tests/test_async_client_behavior.py`
    - `uv run --extra dev pytest tests/test_client_rpc_methods.py
    tests/test_public_api_runtime_behavior.py
    tests/test_async_client_behavior.py`
    - `git diff --check`
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Publish Python runtime wheels on release (#21784)
    ## Why
    
    Published Python SDK builds depend on an exact `openai-codex-cli-bin`
    runtime package, but the release workflow did not publish that runtime
    package to PyPI. That left the SDK packaging story incomplete: release
    artifacts could produce Codex binaries, but Python users still needed a
    matching wheel carrying the platform-specific runtime and helper
    executables.
    
    This PR is stacked on #21787 so release jobs can include helper binaries
    in runtime wheels: Linux wheels include `bwrap` for sandbox fallback,
    and Windows wheels include the signed sandbox/elevation helpers beside
    `codex.exe`.
    
    ## What changed
    
    - Builds platform-specific `openai-codex-cli-bin` wheels from signed
    release binaries on macOS, Linux, and Windows release runners.
    - Packages Linux `bwrap` into musllinux runtime wheels.
    - Packages Windows sandbox helper executables into Windows runtime
    wheels.
    - Uploads runtime wheels as GitHub release assets and publishes them to
    PyPI using trusted publishing from the `pypi` GitHub environment.
    - Keeps the new Python runtime publish job non-blocking so failures need
    follow-up but do not fail the Rust release workflow.
    - Pins the PyPA publish action to the `v1.13.0` commit SHA for
    reproducible release publishing.
    - Documents that runtime wheels are platform wheels published through
    PyPI trusted publishing.
    
    ## Testing
    
    - `ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f); puts "ok
    #{f}" }' .github/workflows/rust-release.yml
    .github/workflows/rust-release-windows.yml`
    - `git diff --check`
    
    CI is the real end-to-end verification for the release workflow path.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Support resource binaries in Python runtime staging (#21787)
    ## Why
    
    Some Codex runtime distributions need helper executables beside the main
    bundled binary. Linux sandbox fallback needs a packaged `bwrap` when no
    suitable system `bwrap` is available, and Windows sandbox/elevation
    needs helper executables discoverable beside `codex.exe`. The checked-in
    `openai-codex-cli-bin` template already packages everything under
    `codex_cli_bin/bin/**`, but the staging script only copied the main
    Codex binary into that directory.
    
    This PR adds the generic staging primitive needed by release workflows
    to build complete platform runtime wheels without baking
    platform-specific helper names into the package template.
    
    ## What changed
    
    - Added repeatable `stage-runtime --resource-binary` support so release
    workflows can copy extra executables beside the bundled Codex binary.
    - Kept resource selection in workflow code, where the platform target is
    known.
    - Added tests that verify resource binaries are copied into the staged
    runtime package, that the wheel include config covers them, and that the
    CLI forwards repeated `--resource-binary` values.
    
    ## Testing
    
    - `uv run ruff check scripts/update_sdk_artifacts.py
    tests/test_artifact_workflow_and_binaries.py`
    - `uv run --extra dev pytest
    tests/test_artifact_workflow_and_binaries.py::test_stage_runtime_release_copies_resource_binaries
    tests/test_artifact_workflow_and_binaries.py::test_runtime_resource_binaries_are_included_by_wheel_config
    tests/test_artifact_workflow_and_binaries.py::test_stage_runtime_stages_binary_without_type_generation`
    
    Full `tests/test_artifact_workflow_and_binaries.py` still has unrelated
    schema-normalization drift in the local checkout.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Add remote plugin skill read API (#20150)
    ## Summary
    
    Adds an app-server `plugin/skill/read` method for remote plugin skill
    markdown. The new method calls the plugin-service skill detail endpoint
    and returns `skill_md_contents`, so clients can preview skills for
    remote plugins before the bundle is installed locally.
    
    ## Why
    
    Uninstalled remote plugin skills do not have local `SKILL.md` files.
    Without an on-demand remote read, the desktop plugin details UI cannot
    render the skill details modal for those skills.
    
    ## Validation
    
    - `just write-app-server-schema`
    - `just fmt`
    - `cargo test -p codex-app-server-protocol`
    - `cargo test -p codex-app-server --test all --
    suite::v2::plugin_read::plugin_skill_read_reads_remote_skill_contents_when_remote_plugin_enabled
    --exact`
    - `just fix -p codex-app-server-protocol -p codex-core-plugins -p
    codex-app-server`
  • Publish Python SDK with Codex-pinned versioning (#18996)
    **note**: a large chunk of this diff comes from regenerating Python
    types after app-server schema changes on `main`.
    
    This is PR 3 of 3 for the Python SDK PyPI publishing split. PR #18862
    refreshed the generated SDK surface, and PR #18865 made the runtime
    package publishable as `openai-codex-cli-bin`; this final PR makes the
    SDK package publishable as `openai-codex-app-server-sdk` and pins both
    packages to the same Codex runtime version.
    
    The key idea is that the published SDK version is the Codex runtime
    version. That one version now drives the SDK package version, the exact
    runtime dependency, the client version reported by the SDK, and the
    bootstrap runtime pin. This keeps release-time versioning in one lane
    instead of scattering checked-in literals through the package.
    
    ## What changed
    
    - Rename the SDK distribution from `codex-app-server-sdk` to
    `openai-codex-app-server-sdk` for conflict-free PyPI publishing.
    - Use `stage-sdk --codex-version ...` with one Codex version for both
    the SDK package version and exact `openai-codex-cli-bin` dependency.
    - Preserve hidden legacy `--runtime-version` / `--sdk-version` args only
    to reject mismatched versions during staging.
    - Map PEP 440 package versions back to Codex release tags for runtime
    setup downloads, e.g. `0.116.0a1` -> `rust-v0.116.0-alpha.1`.
    - Derive `codex_app_server.__version__`, the default
    `AppServerConfig.client_version`, and
    `_runtime_setup.pinned_runtime_version()` from the SDK package/project
    version instead of hardcoding duplicate version strings.
    - Carry the current generated SDK refresh from `main` so
    `generate-types` stays clean after recent app-server schema changes.
    - Update `sdk/python/uv.lock` for the renamed editable package.
    
    ## Validation
    
    - `uv run --extra dev pytest` in `sdk/python` -> 59 passed, 37 skipped.
    - Targeted `uv run ruff check` for the touched SDK files.
    - `git diff --check`.
    - Staged runtime with `--codex-version rust-v0.116.0-alpha.1
    --platform-tag macosx_11_0_arm64`.
    - Staged SDK with `--codex-version rust-v0.116.0-alpha.1`.
    - Built runtime wheel, SDK wheel, and SDK sdist.
    - `twine check /tmp/codex-python-pr3-build/dist/*` -> passed.
    - Clean venv smoke installed `openai-codex-app-server-sdk==0.116.0a1`
    from local dist and pulled `openai-codex-cli-bin==0.116.0a1`.
    - Smoke imports passed for `Codex` and `bundled_codex_path()`.
  • Harden package-manager install policy (#19163)
    ## Summary
    
    This PR hardens package-manager usage across the repo to reduce
    dependency supply-chain risk. It also removes the stale `codex-cli`
    Docker path, which was already broken on `main`, instead of keeping a
    bitrotted container workflow alive.
    
    ## What changed
    
    - Updated pnpm package manager pins and workspace install settings.
    - Removed stale `codex-cli` Docker assets instead of trying to keep a
    broken local container path alive.
    - Added uv settings and lockfiles for the Python SDK packages.
    - Updated Python SDK setup docs to use `uv sync`.
    
    ## Why
    
    This is primarily a security hardening change. It reduces
    package-install and supply-chain risk by ensuring dependency installs go
    through pinned package managers, committed lockfiles, release-age
    settings, and reviewed build-script controls.
    
    For `codex-cli`, the right follow-up was to remove the local Docker path
    rather than keep patching it:
    
    - `codex-cli/Dockerfile` installed `codex.tgz` with `npm install -g`,
    which bypassed the repo lockfile and age-gated pnpm settings.
    - The local `codex-cli/scripts/build_container.sh` helper was already
    broken on `main`: it called `pnpm run build`, but
    `codex-cli/package.json` does not define a `build` script.
    - The container path itself had bitrotted enough that keeping it would
    require extra packaging-specific behavior that was not otherwise needed
    by the repo.
    
    ## Gaps addressed
    
    - Global npm installs bypassed the repo lockfile in Docker and CLI
    reinstall paths, including `codex-cli/Dockerfile` and
    `codex-cli/bin/codex.js`.
    - CI and Docker pnpm installs used `--frozen-lockfile`, but the repo was
    missing stricter pnpm workspace settings for dependency build scripts.
    - Python SDK projects had `pyproject.toml` metadata but no committed
    `uv.lock` coverage or uv age/index settings in `sdk/python` and
    `sdk/python-runtime`.
    - The secure devcontainer install path used npm/global install behavior
    without a local locked package-manager boundary.
    - The local `codex-cli` Docker helper was already broken on `main`, so
    this PR removes that stale Docker path instead of preserving a broken
    surface.
    - pnpm was already pinned, but not to the current repo-wide pnpm version
    target.
    
    ## Verification
    
    - `pnpm install --frozen-lockfile`
    - `.devcontainer/codex-install`: `pnpm install --prod --frozen-lockfile`
    - `.devcontainer/codex-install`: `./node_modules/.bin/codex --version`
    - `sdk/python`: `uv lock --check`, `uv sync --locked --all-extras
    --dry-run`, `uv build`
    - `sdk/python-runtime`: `uv lock --check`, `uv sync --locked --dry-run`,
    `uv build --wheel`
    - `pnpm -r --filter ./sdk/typescript run build`
    - `pnpm -r --filter ./sdk/typescript run lint`
    - `pnpm -r --filter ./sdk/typescript run test`
    - `node --check codex-cli/bin/codex.js`
    - `docker build -f .devcontainer/Dockerfile.secure -t codex-secure-test
    .`
    - `cargo build -p codex-cli`
    - repo-wide package-manager audit
  • Fix auto-review config compatibility across protocol and SDK (#19113)
    ## Why
    
    This keeps the partial Guardian subagent -> Auto-review rename
    forward-compatible across mixed Codex installations. Newer binaries need
    to understand the new `auto_review` spelling, but they cannot write it
    to shared `~/.codex/config.toml` yet because older CLI/app-server
    bundles only know `user` and `guardian_subagent` and can fail during
    config load before recovering.
    
    The Python SDK had the opposite compatibility gap: app-server responses
    can contain `approvalsReviewer: "auto_review"`, but the checked-in
    generated SDK enum did not accept that value.
    
    ## What Changed
    
    - Keep `ApprovalsReviewer::AutoReview` readable from both
    `guardian_subagent` and `auto_review`, while serializing it as
    `guardian_subagent` in both protocol crates.
    - Update TUI Auto-review persistence tests so enabling Auto-review
    writes `approvals_reviewer = "guardian_subagent"` while UI copy still
    says Auto-review.
    - Map managed/cloud `feature_requirements.auto_review` to the existing
    `Feature::GuardianApproval` gate without adding a broad local
    `[features].auto_review` key or changing config writes.
    - Add `auto_review` to the Python SDK `ApprovalsReviewer` enum and cover
    `ThreadResumeResponse` validation.
    
    ## Testing
    
    - `cargo test -p codex-protocol approvals_reviewer`
    - `cargo test -p codex-app-server-protocol approvals_reviewer`
    - `cargo test -p codex-tui
    update_feature_flags_enabling_guardian_selects_auto_review`
    - `cargo test -p codex-tui
    update_feature_flags_enabling_guardian_in_profile_sets_profile_auto_review_policy`
    - `cargo test -p codex-core
    feature_requirements_auto_review_disables_guardian_approval`
    - `pytest
    sdk/python/tests/test_client_rpc_methods.py::test_thread_resume_response_accepts_auto_review_reviewer`
    - `git diff --check`
  • Stage publishable Python runtime wheels (#18865)
    This is PR 2 of the Python SDK PyPI publishing split. [PR
    1](https://github.com/openai/codex/pull/18862) refreshed the generated
    SDK bindings; this PR makes the runtime package itself publishable, and
    PR 3 will wire the SDK package/version pinning to this runtime package.
    
    ## Summary
    - Rename the runtime distribution to `openai-codex-cli-bin` while
    keeping the import package as `codex_cli_bin`.
    - Make the runtime package wheel-only and build `py3-none-<platform>`
    wheels instead of interpreter-specific wheels.
    - Add `stage-runtime --codex-version` and `--platform-tag` so release
    staging can produce the platform wheel matrix from Codex release tags.
    - Add focused artifact workflow tests for version normalization,
    platform tag injection, and runtime wheel metadata.
    
    ## Why Rename
    There is already an unofficial PyPI package,
    [`codex-bin`](https://pypi.org/project/codex-bin/), distributing OpenAI
    Codex binaries. Publishing the official SDK runtime dependency as
    `openai-codex-cli-bin` makes the ownership clear, avoids confusing the
    SDK-pinned runtime wheel with that unowned wrapper, and keeps the import
    package unchanged as `codex_cli_bin`.
    
    ## Tests
    - `uv run --extra dev pytest
    tests/test_artifact_workflow_and_binaries.py` -> 21 passed
    - `uv run --extra dev python scripts/update_sdk_artifacts.py
    stage-runtime /tmp/codex-python-pr2-rebased/runtime-stage
    /tmp/codex-python-pr2-rebased/codex --codex-version
    rust-v0.116.0-alpha.1 --platform-tag macosx_11_0_arm64`
    - `uv run --with build --extra dev python -m build --wheel
    /tmp/codex-python-pr2-rebased/runtime-stage`
    - `uv run --with twine --extra dev twine check
    /tmp/codex-python-pr2-rebased/runtime-stage/dist/openai_codex_cli_bin-0.116.0a1-py3-none-macosx_11_0_arm64.whl`
    
    ## Note
    - Full `uv run --extra dev pytest` currently fails because regenerating
    from schemas already on `main` adds new DeviceKey Python types. I left
    that generated catch-up out of this runtime-only PR.
  • Refresh generated Python app-server SDK types (#18862)
    This is the first step in splitting the Python SDK PyPI publish work
    into reviewable layers: land the generated SDK refresh by itself before
    changing packaging mechanics. The next PRs will make the runtime wheel
    publishable, then wire the SDK package/version pinning to that runtime.
    
    ## Summary
    - Refresh generated Python app-server v2 models and notification
    registry from the current schema.
    - Update the public API signature expectations for the newly generated
    kwargs.
    
    ## Stack
    - PR 1 of 3 for the Python SDK PyPI publishing split.
    - Follow-up PRs will handle runtime wheel publishing mechanics, then
    SDK/package version pinning.
    
    ## Tests
    - `uv run --extra dev pytest` in `sdk/python` -> 51 passed, 37 skipped.
  • Add usage-based business plan types (#15934)
    ## Summary
    - add `self_serve_business_usage_based` and `enterprise_cbp_usage_based`
    to the public/internal plan enums and regenerate the app-server + Python
    SDK artifacts
    - map both plans through JWT login and backend rate-limit payloads, then
    bucket them with the existing Team/Business entitlement behavior in
    cloud requirements, usage-limit copy, tooltips, and status display
    - keep the earlier display-label remap commit on this branch so the new
    Team-like and Business-like plans render consistently in the UI
    
    ## Testing
    - `just write-app-server-schema`
    - `uv run --project sdk/python python
    sdk/python/scripts/update_sdk_artifacts.py generate-types`
    - `just fix -p codex-protocol -p codex-login -p codex-core -p
    codex-backend-client -p codex-cloud-requirements -p codex-tui -p
    codex-tui-app-server -p codex-backend-openapi-models`
    - `just fmt`
    - `just argument-comment-lint`
    - `cargo test -p codex-protocol
    usage_based_plan_types_use_expected_wire_names`
    - `cargo test -p codex-login usage_based`
    - `cargo test -p codex-backend-client usage_based`
    - `cargo test -p codex-cloud-requirements usage_based`
    - `cargo test -p codex-core usage_limit_reached_error_formats_`
    - `cargo test -p codex-tui plan_type_display_name_remaps_display_labels`
    - `cargo test -p codex-tui remapped`
    - `cargo test -p codex-tui-app-server
    plan_type_display_name_remaps_display_labels`
    - `cargo test -p codex-tui-app-server remapped`
    - `cargo test -p codex-tui-app-server
    preserves_usage_based_plan_type_wire_name`
    
    ## Notes
    - a broader multi-crate `cargo test` run still hits unrelated existing
    guardian-approval config failures in
    `codex-rs/core/src/config/config_tests.rs`
  • Fix stale quickstart integration assertion (#15677)
    TL;DR: update the quickstart integration assertion to match the current
    example output.
    
    - replace the stale `Status:` expectation for
    `01_quickstart_constructor` with `Server:`, `Items:`, and `Text:`
    - keep the existing guard against `Server: unknown`
  • Pin Python SDK app-server stdio to UTF-8 on Windows (#15244)
    ## TL;DR
    Pin the Python app-server SDK subprocess pipes to UTF-8 so Windows users
    on non-UTF-8 locales do not hit `UnicodeDecodeError` when the `codex`
    child emits UTF-8 text.
    
    - add `encoding="utf-8"` to the `subprocess.Popen(...)` call in
    `AppServerClient.start()`
    - add a focused regression test that asserts the client launches the
    subprocess with UTF-8 text I/O
    - validates with `python -m pytest
    sdk/python/tests/test_client_rpc_methods.py
    sdk/python/tests/test_client_process_launch.py
    sdk/python/tests/test_public_api_runtime_behavior.py`
    
    Fixes #14311.
  • Add Python SDK thread.run convenience methods (#15088)
    ## TL;DR
    Add `thread.run(...)` / `async thread.run(...)` convenience methods to
    the Python SDK for the common case.
    
    - add `RunInput = Input | str` and `RunResult` with `final_response`,
    collected `items`, and optional `usage`
    - keep `thread.turn(...)` strict and lower-level for streaming,
    steering, interrupting, and raw generated `Turn` access
    - update Python SDK docs, quickstart examples, and tests for the sync
    and async convenience flows
    
    ## Validation
    - `python3 -m pytest sdk/python/tests/test_public_api_signatures.py
    sdk/python/tests/test_public_api_runtime_behavior.py`
    - `python3 -m pytest
    sdk/python/tests/test_real_app_server_integration.py -k
    'thread_run_convenience or async_thread_run_convenience'` (skipped in
    this environment)
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Revert "fix: harden plugin feature gating" (#15102)
    Reverts openai/codex#15020
    
    I messed up the commit in my PR and accidentally merged changes that
    were still under review.
  • fix: harden plugin feature gating (#15020)
    1. Use requirement-resolved config.features as the plugin gate.
    2. Guard plugin/list, plugin/read, and related flows behind that gate.
    3. Skip bad marketplace.json files instead of failing the whole list.
    4. Simplify plugin state and caching.
  • Add Python SDK public API and examples (#14446)
    ## TL;DR
    WIP esp the examples
    
    Thin the Python SDK public surface so the wrapper layer returns
    canonical app-server generated models directly.
    
    - keeps `Codex` / `AsyncCodex` / `Thread` / `Turn` and input helpers,
    but removes alias-only type layers and custom result models
    - `metadata` now returns `InitializeResponse` and `run()` returns the
    generated app-server `Turn`
    - updates docs, examples, notebook, and tests to use canonical generated
    types and regenerates `v2_all.py` against current schema
    - keeps the pinned runtime-package integration flow and real integration
    coverage
    
      ## Validation
      - `PYTHONPATH=sdk/python/src python3 -m pytest sdk/python/tests`
    - `GH_TOKEN="$(gh auth token)" RUN_REAL_CODEX_TESTS=1
    PYTHONPATH=sdk/python/src python3 -m pytest sdk/python/tests -rs`
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Cleanup skills/remote/xxx endpoints. (#14977)
    Remote skills/remote/xxx as they are not in used for now.
  • feat: support remote_sync for plugin install/uninstall. (#14878)
    - Added forceRemoteSync to plugin/install and plugin/uninstall.
    - With forceRemoteSync=true, we update the remote plugin status first,
    then apply the local change only if the backend call succeeds.
    - Kept plugin/list(forceRemoteSync=true) as the main recon path, and for
    now it treats remote enabled=false as uninstall. We
    will eventually migrate to plugin/installed for more precise state
    handling.
  • Refresh Python SDK generated types (#14646)
    ## Summary
    - regenerate `sdk/python` protocol-derived artifacts on latest
    `origin/main`
    - update `notification_registry.py` to match the regenerated
    notification set
    - fix the stale SDK test expectation for `GranularAskForApproval`
    
    ## Validation
    - `cd sdk/python && python scripts/update_sdk_artifacts.py
    generate-types`
    - `cd sdk/python && python -m pytest`
  • app-server: Add platform os and family to init response (#14527)
    This allows the client to pick os-specific behavior while interacting
    with the app server, e.g. to use proper path separators.
  • Add Python app-server SDK (#14435)
    ## TL;DR
    Bring the Python app-server SDK from `main-with-prs-13953-and-14232`
    onto current `main` as a standalone SDK-only PR.
    
    - adds the new `sdk/python` and `sdk/python-runtime` package trees
    - keeps the scope to the SDK payload only, without the unrelated
    branch-history or workflow changes from the source branch
    - regenerates `sdk/python/src/codex_app_server/generated/v2_all.py`
    against current `main` schema so the extracted SDK matches today's
    protocol definitions
    
    ## Validation
    - `PYTHONPATH=sdk/python/src python3 -m pytest sdk/python/tests`
    
    Co-authored-by: Codex <noreply@openai.com>