Commit Graph

1765 Commits

  • 2- Use string service tiers in session protocol (#20971)
    ## Summary
    - break service tier session/op/app-server protocol fields from the
    closed enum to string tier ids
    - send the service tier string directly through model requests, prewarm,
    compaction, memories, and TUI/app-server turn starts
    - regenerate app-server protocol JSON/TypeScript schemas, removing the
    standalone ServiceTier TS enum
    
    ## Verification
    - just fmt
    - cargo check -p codex-core -p codex-app-server -p codex-tui
    - just write-app-server-schema
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • feat(app-server): move v2 sessionId onto Thread (#21336)
    ## Why
    
    `session_id` and `thread_id` are separate identities after #20437, but
    app-server only surfaced `sessionId` on the `thread/start`,
    `thread/resume`, and `thread/fork` response envelopes. Other
    thread-bearing surfaces such as `thread/list`, `thread/read`,
    `thread/started`, `thread/rollback`, `thread/metadata/update`, and
    `thread/unarchive` either lacked the grouping key or forced clients to
    special-case those three responses.
    
    Making `sessionId` part of the reusable `Thread` payload gives every v2
    API surface one place to expose session-tree identity.
    
    ## Mental model
      1. thread.sessionId lives on `Thread`
    2. It is a view/runtime identity for the current live session tree, not
    durable stored lineage metadata
    3. When app-server has a live loaded thread, it copies the real value
    from core’s session_configured.session_id
    4. When it only has stored/unloaded data, it falls back to
    thread.sessionId = thread.id
    
    ## What changed
    
    - Added `sessionId` to the v2
    [`Thread`](https://github.com/openai/codex/blob/8fc9e9b4cf81b6f61d432e71f1eb266f6f104b63/codex-rs/app-server-protocol/src/protocol/v2/thread_data.rs#L105-L109).
    - Removed the duplicate top-level `sessionId` fields from
    `thread/start`, `thread/resume`, and `thread/fork`; clients should now
    read `response.thread.sessionId`.
    - Populated `thread.sessionId` when building live thread responses,
    replaying loaded threads, and returning stored-thread summaries so the
    field is present across start, resume, fork, list, read, rollback,
    metadata-update, unarchive, and `thread/started` paths. See
    [`load_thread_from_resume_source_or_send_internal`](https://github.com/openai/codex/blob/8fc9e9b4cf81b6f61d432e71f1eb266f6f104b63/codex-rs/app-server/src/request_processors/thread_processor.rs#L2824-L2918)
    and
    [`thread_from_stored_thread`](https://github.com/openai/codex/blob/8fc9e9b4cf81b6f61d432e71f1eb266f6f104b63/codex-rs/app-server/src/request_processors/thread_processor.rs#L3671-L3719).
    - Preserved the stored-thread fallback: if a thread has not been loaded
    into a live session tree yet, `thread.sessionId` falls back to
    `thread.id`; once the thread is live again, the field reports the active
    session tree root.
    - Regenerated the JSON/TypeScript schemas and updated the app-server
    README examples to show
    [`thread.sessionId`](https://github.com/openai/codex/blob/8fc9e9b4cf81b6f61d432e71f1eb266f6f104b63/codex-rs/app-server/README.md#L306-L310)
    on the thread object.
  • feat: add session_id (#20437)
    ## Summary
    
    Related to
    https://openai.slack.com/archives/C095U48JNL9/p1777537279707449
    TLDR:
    We update the meaning of session ids and thread ids:
    * thread_id stays as now
    * session_id become a shared id between every thread under a /root
    thread (i.e. every sub-agent share the same session id)
    
    This PR introduces an explicit `SessionId` and threads it through the
    protocol/client boundary so `session_id` and `thread_id` can diverge
    when they need to, while preserving compatibility for older serialized
    `session_configured` events.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Support Codex Apps auth elicitations (#19193)
    ## Summary
    
    - request URL-mode MCP elicitations when Codex Apps tool calls fail with
    connector auth metadata
    - route Codex Apps auth URL elicitations into the TUI app-link flow
    
    ## Test plan
    
    - `just fmt`
    - `cargo test -p codex-core mcp_tool_call::tests`
    - `cargo test -p codex-mcp`
    - `cargo test -p codex-tui bottom_pane::app_link_view::tests`
    - `just fix -p codex-core`
    - `just fix -p codex-mcp`
    - `just fix -p codex-tui`
    
    Also attempted broader local runs:
    
    - `cargo test -p codex-core` fails in unrelated
    config/request-permission/proxy-sensitive tests under the current Codex
    Desktop environment.
    - `cargo test -p codex-tui` fails in unrelated status
    snapshots/trust-default tests because the ambient environment renders
    workspace-write/network permission defaults.
  • [codex-analytics] rework thread_source for thread analytics (#20949)
    ## Summary
    - make `thread_source` an explicit optional thread-level field on
    `thread/start`, `thread/fork`, and returned thread payloads
    - persist `thread_source` in rollout/session metadata so resumed live
    threads retain the original value
    - replace the old best-effort `session_source` -> `thread_source`
    mapping with an explicit caller-supplied analytics classification
    
    ## Why
    Before this change, analytics `thread_source` was populated by a
    best-effort mapping from `session_source`. `session_source` describes
    the runtime/client surface, not the actual thread-level origin, so that
    projection was not accurate enough to distinguish cases such as `user`,
    `subagent`, `memory_consolidation`, and future thread origins reliably.
    
    Making `thread_source` explicit keeps one thread-level analytics field
    while letting callers provide the real classification directly instead
    of recovering it indirectly from `session_source`.
    
    ## Impact
    For new analytics events, `thread_source` now reflects the explicit
    thread-level classification supplied by the caller rather than an
    inferred value derived from `session_source`. Existing protocol fields
    remain optional; callers that omit `threadSource` now produce `null`
    instead of a best-effort inferred value.
    
    ## Validation
    - `just write-app-server-schema`
    - `cargo test -p codex-analytics -p codex-core -p
    codex-app-server-protocol --no-run`
    - `cargo test -p codex-app-server-protocol
    generated_ts_optional_nullable_fields_only_in_params`
    - `cargo test -p codex-analytics
    thread_initialized_event_serializes_expected_shape`
    - `cargo test -p codex-core
    resume_stopped_thread_from_rollout_preserves_thread_source`
  • Expose plugin manifest keywords in app server (#21271)
    ## Summary
    - Add plugin manifest keywords to core plugin marketplace/detail models
    - Expose keywords on app-server v2 PluginSummary and generated
    schema/types
    - Populate keywords in plugin/list and plugin/read responses for local
    plugins
    
    Depends on https://github.com/openai/openai/pull/891087
    
    ## Validation
    - just fmt
    - just write-app-server-schema
    - cargo test -p codex-app-server-protocol
    - cargo test -p codex-core-plugins
    - cargo test -p codex-app-server
    plugin_list_keeps_valid_marketplaces_when_another_marketplace_fails_to_load
    - cargo test -p codex-app-server
    plugin_read_returns_plugin_details_with_bundle_contents
  • fix build (#21261)
    I believe a merge race in https://github.com/openai/codex/pull/20689
    broke the build, so this is a quick fix.
    
    `cargo check --tests` passed locally.
  • Inject state DB, agent graph store (#20689)
    ## Why
    
    We want the agent graph store to be passed down the stack as a real
    dependency, the same way we already treat the thread store.
    
    This will let us inject the agent graph store as a real dependency and
    support implementations other than the local SQLite-backed one. Right
    now most code instantiates a state DB and an agent graph store
    just-in-time. Ideally, we would not depend on the state DB directly but
    only read through the higher-level interfaces.
    
    This change makes the dependency boundaries explicit and moves state DB
    initialization to process bootstrap instead of hiding it inside local
    store implementations.
    
    ## What changed
    
    - `ThreadManager` now requires a `StateDbHandle` and an
    `AgentGraphStore` at construction time instead of treating them as
    optional internals.
    - The local store constructors no longer lazily initialize SQLite.
    Callers now initialize the state DB once per process and use that shared
    handle to build:
      - `LocalThreadStore`
      - `LocalAgentGraphStore`
    - App bootstraps (`app-server`, `mcp-server`, `prompt_debug`, and the
    thread-manager sample) now initialize the state DB up front and inject
    the resulting handle down the stack.
    - `app-server` now consistently uses its process-scoped state DB handle
    instead of reopening SQLite or trying to recover it from loaded threads.
    - Device-key storage now reuses the shared state DB handle instead of
    maintaining its own lazy opener.
    - The thread archive / descendant traversal paths now use the injected
    `AgentGraphStore` instead of reaching through local
    thread-store-specific state.
    
    ## Verification
    
    - `cargo check -p codex-core -p codex-thread-store -p codex-app-server
    -p codex-mcp-server -p codex-thread-manager-sample --tests`
    - `cargo test -p codex-thread-store`
    - `cargo test -p codex-core
    thread_manager_accepts_separate_agent_graph_store_and_thread_store --
    --nocapture`
    - `cargo test -p codex-app-server
    thread_archive_archives_spawned_descendants -- --nocapture`
  • [codex] fix TUI turn items view fixtures (#21243)
    ## Summary
    
    Adds the required `items_view` field to the three session picker `Turn`
    test fixtures that populate full turn item lists.
    
    ## Root Cause
    
    `#21063` added `Turn.items_view` to the app-server protocol type. The
    later session picker merge added three test-only
    `codex_app_server_protocol::Turn` literals without the new field, which
    broke Bazel compilation on `main` with `E0063: missing field
    items_view`.
    
    ## Validation
    
    - `just fmt`
    - `cargo test -p codex-tui resume_picker --no-fail-fast`
    - `just argument-comment-lint`
    
    I also ran `cargo test -p codex-tui`; it compiled and ran the suite, but
    this local machine failed two pre-existing status permission-profile
    tests because `/etc/codex/requirements.toml` disallows
    `DangerFullAccess`.
  • feat(tui): redesign session picker (#20065)
    ## Why
    
    The resume/fork picker is becoming the main way users recover previous
    work, but the old fixed table made sessions hard to scan once thread
    names, branches, working directories, and timestamps all mattered. This
    redesign makes the picker denser by default, easier to search, and safer
    to inspect before resuming or forking.
    
    <table>
    <tr>
    <td>
    <img width="1660" height="1103" alt="CleanShot 2026-05-03 at 12 34 10"
    src="https://github.com/user-attachments/assets/313ede1d-1da4-4863-acd2-56b3e27e9703"
    />
    </td>
    <td>
    <img width="1662" height="1100" alt="CleanShot 2026-05-03 at 12 34 15"
    src="https://github.com/user-attachments/assets/cfde7d5c-bab0-4994-a807-254e53f344ea"
    />
    </td>
    </tr>
    <tr>
    <td>
    <img width="1664" height="1107" alt="CleanShot 2026-05-03 at 12 39 22"
    src="https://github.com/user-attachments/assets/e1ee58ca-4dc5-4a35-ae0f-47562da3974c"
    />
    </td>
    <td>
    <img width="1662" height="1100" alt="CleanShot 2026-05-03 at 12 35 09"
    src="https://github.com/user-attachments/assets/9c888072-eedf-4f45-985c-0c14df28bcc7"
    />
    </td>
    </tr>
    </table>
    
    ## What Changed
    
    - Replaces the old session table with responsive session rows that
    prioritize the session name or preview, then show timestamp, cwd, and
    branch metadata.
    - Makes dense view the default while keeping comfortable view available
    through `Ctrl+O`.
    - Persists the picker view preference in `[tui].session_picker_view`,
    including active profile-scoped config.
    - Adds sort/filter controls for updated time, created time, cwd, and all
    sessions.
    - Expands search matching across session name, preview, thread id,
    branch, and cwd.
    - Makes `Esc` safer in search mode: it clears an active query before
    starting a new session.
    - Adds lazy transcript inspection:
      - `Space` expands recent transcript context inline.
      - `Ctrl+T` opens a transcript overlay.
      - raw reasoning visibility follows `show_raw_agent_reasoning`.
    - Keeps remote cwd filtering server-side for remote app-server sessions
    so local path normalization does not incorrectly hide remote results.
    - Updates snapshots and config schema for the new picker states and
    config option.
    
    ## How to Test
    
    1. Start Codex in a repo with several saved sessions.
    2. Press `Ctrl+R` / resume picker entry point.
    3. Confirm the picker opens in dense mode and shows session name or
    preview, timestamp, cwd, and branch metadata.
    4. Press `Ctrl+O` and confirm it switches between dense and comfortable
    views.
    5. Restart Codex and confirm the selected view persists.
    6. Type a query that matches a branch, cwd, thread id, or session name;
    confirm matching sessions appear.
    7. Press `Esc` while the query is non-empty and confirm it clears search
    instead of starting a new session.
    8. Select a session and press `Space`; confirm recent transcript context
    expands inline.
    9. Press `Ctrl+T`; confirm the transcript overlay opens and respects
    raw-reasoning visibility settings.
    
    Targeted tests:
    - `cargo test -p codex-tui resume_picker --no-fail-fast`
    - `cargo test -p codex-core
    runtime_config_resolves_session_picker_view_default_and_override`
    - `cargo test -p codex-core profile_tui_rejects_unsupported_settings`
    - `cargo check -p codex-thread-manager-sample`
    - `cargo insta pending-snapshots`
  • feat(tui): route /diff through workspace commands (#21001)
    Stacked on #20892.
    
    ## Why
    
    #20892 adds the TUI workspace command abstraction so branch status
    metadata can run through app-server instead of assuming the CLI process
    has the active workspace locally. `/diff` still used direct local
    process execution, which means remote app-server sessions could compute
    the diff against the wrong machine or fail to see the active workspace
    at all.
    
    This PR moves `/diff` onto that same app-server-backed command path so
    Git runs wherever the active workspace lives.
    
    ## What Changed
    
    - Route `/diff` through the TUI `WorkspaceCommandExecutor` using the
    active chat cwd.
    - Replace direct `tokio::process::Command` usage in `get_git_diff` with
    argv-based workspace command requests.
    - Preserve the existing `/diff` behavior: tracked diff output, untracked
    file diffs, treating Git diff exit code `1` as success, and showing the
    existing non-git-repository message.
    - Extend `WorkspaceCommand` with caller-set timeouts and an explicit
    uncapped-output opt-out. Metadata probes remain capped by default;
    `/diff` opts out because its full output is the user-visible payload.
    
    ## How to Test
    
    Manual reviewer path:
    
    1. Start the Codex TUI from a Git worktree with one tracked file change
    and one untracked file.
    2. Run `/diff`.
    3. Confirm the rendered diff includes both the tracked diff and the
    untracked file diff.
    4. Start the TUI outside a Git worktree, or switch to a non-git cwd,
    then run `/diff`.
    5. Confirm it shows the existing `/diff` not-inside-a-git-repository
    message.
    
    Targeted tests run:
    
    - `cargo test -p codex-tui get_git_diff -- --nocapture`
    - `cargo test -p codex-tui branch_summary -- --nocapture`
    - `cargo test -p codex-tui`
  • add turn items view to app-server turns (#21063)
    ## Why
    
    `Turn.items` currently overloads an empty array to mean either that no
    items exist or that the server intentionally did not load them for this
    response. That ambiguity blocks future lazy-loading work where clients
    need to distinguish unloaded, summary, and fully hydrated turn payloads.
    
    ## What changed
    
    - add a new `TurnItemsView` enum with `notLoaded`, `summary`, and `full`
    variants
    - add required `itemsView` metadata to app-server `Turn` payloads
    - mark reconstructed persisted history as `full` and live shell-style
    turn payloads as `notLoaded`
    - keep current `thread/turns/list` behavior unchanged and document that
    it still returns `full` turns today
    - regenerate the JSON and TypeScript protocol fixtures
    
    ## Verification
    
    - `just write-app-server-schema`
    - `cargo test -p codex-app-server-protocol`
    - `cargo test -p codex-app-server thread_read_can_include_turns`
    - `cargo test -p codex-app-server
    thread_turns_list_can_page_backward_and_forward`
    - `cargo test -p codex-app-server
    thread_resume_rejects_history_when_thread_is_running`
    - `just fix -p codex-app-server-protocol`
    - `just fix -p codex-app-server`
    - `just fmt`
  • hook trust metadata and enforcement (#20321)
    # Why
    
    We want shared hook trust that both the app and the TUI can build on,
    but the metadata is only useful if runtime behavior agrees with it. This
    PR adds a single backend trust model for hooks so unmanaged hooks cannot
    run until the current definition has been reviewed, while managed hooks
    remain runnable and non-configurable.
    
    # What
    
    - persist `trusted_hash` alongside hook state in `config.toml`
    - expose `currentHash` and derived `trustStatus` through `hooks/list`
    - derive trust from normalized hook definitions so equivalent hooks from
    `config.toml` and `hooks.json` share the same trust identity
    - gate unmanaged hooks on trust before they enter the runnable handler
    set
    
    # Reviewer Notes
    
    - key file to review is `codex-rs/hooks/src/engine/discovery.rs`
    - the only **core** change is schema related
  • feat(tui): add raw scrollback mode (#20819)
    ## Why
    
    Granular copy is particularly difficult with the current output. Part of
    it was solved with the introduction of the `/copy` command but when you
    only need to copy parts of a response, you still encounter some issues:
    
    - When you copy a paragraph, the result is a sequence of separate lines
    instead of one correctly joined paragraph.
    - When a word wraps, part of it stays on the original line and the rest
    appears at the start of the next line.
    - When you copy a long command, extra line breaks are often inserted,
    and command arguments can be split across multiple lines.
    
    
    https://github.com/user-attachments/assets/0ef85c84-9363-4aad-b43a-15fce062a443
    
    ## Solution
    
    Now that we own the scrollback and we re-create it when we resize, we
    have the opportunity of toggling between the raw text and the rich text
    we see today.
    
    - Add TUI raw scrollback mode with `tui.raw_output_mode`, `/raw
    [on|off]`, and the configurable `tui.keymap.global.toggle_raw_output`
    action.
    - Render transcript cells through rich/raw-aware paths so raw mode
    preserves source text and lets the terminal soft-wrap selection-friendly
    output.
    - Bind raw-mode toggle to `alt-r` by default, with the keybinding path
    toggling silently while `/raw` continues to emit confirmation messages.
    
    ## Related Issues
    
    Likely addressed by raw mode:
    
    - #12200: clean copy for multiline and soft-wrapped output. Raw mode
    removes Codex-inserted wrapping/indentation and lets the terminal
    soft-wrap logical lines.
    - #9252: command suggestions gain unwanted leading spaces when copied.
    Raw mode renders transcript text without the rich-mode left
    padding/gutter.
    - #8258: prompt output is hard to copy because of leading indentation.
    Raw mode renders user/source-backed transcript text without that
    decorative indentation.
    
    Partially or conditionally addressed:
    
    - #2880: copy/export message as Markdown. Raw mode exposes raw Markdown
    for terminal selection, but this PR does not add a dedicated
    export/copy-message command.
    - #19820: mouse drag selection + copy in the TUI. Raw mode improves
    terminal-native selection of output/history text, but this PR does not
    implement in-TUI mouse selection, highlighting, auto-copy, or composer
    selection.
    - #18979: copied content is divided into two parts. This should improve
    cases caused by Codex-inserted wraps/padding in rendered output; if the
    report is about pasting into the composer/input path, that remains
    outside this PR.
    
    ## Validation
    
    - `just write-config-schema`
    - `just fmt`
    - `cargo test -p codex-config`
    - `cargo test -p codex-tui`
    - `just fix -p codex-tui`
    - `just argument-comment-lint`
    - `cargo test -p codex-tui
    raw_output_mode_can_change_without_inserting_notice -- --nocapture`
    - `cargo test -p codex-tui
    raw_slash_command_toggles_and_accepts_on_off_args -- --nocapture`
    - `cargo test -p codex-tui raw_output_toggle -- --nocapture`
    - `git diff --check`
    - `cargo insta pending-snapshots`
  • fix(tui): external editor expansion for same-size large pastes (#21190)
    ## Why
    
    We found this while reviewing #21091, but confirmed it is not introduced
    by that PR: the order-sensitive `current_text_with_pending()`
    replacement loop already existed, and `main` already allowed active
    same-size large pastes to use prefix-overlapping labels such as `[Pasted
    Content N chars]` and `[Pasted Content N chars] #2`.
    
    #21091 fixes placeholder numbering after a draft is cleared, so a fresh
    same-size paste can reuse the base label. This PR fixes a different
    path: when a draft already contains multiple active same-size large
    pastes, the placeholders can overlap by prefix, for example `[Pasted
    Content N chars]` and `[Pasted Content N chars] #2`.
    
    That overlap breaks `current_text_with_pending()` when the composer
    materializes the draft text for the external editor. Replacing the base
    placeholder first can partially rewrite the `#2` placeholder, leaving
    the external editor seeded with corrupted text instead of both paste
    payloads.
    
    | Before | After |
    |---|---|
    | <img width="1230" height="1008" alt="CleanShot 2026-05-05 at 10 18 09"
    src="https://github.com/user-attachments/assets/88a2936c-cf00-4adc-8567-8fd8f398b4a8"
    /> | <img width="1230" height="1008" alt="CleanShot 2026-05-05 at 10 20
    31"
    src="https://github.com/user-attachments/assets/119cff52-43c8-432a-9367-418d82f4ed82"
    /> |
    | <img width="1230" height="1008" alt="CleanShot 2026-05-05 at 10 18 57"
    src="https://github.com/user-attachments/assets/026031bb-839b-4252-a0fd-9ba9616435fe"
    /> | <img width="1230" height="1008" alt="CleanShot 2026-05-05 at 10 21
    31"
    src="https://github.com/user-attachments/assets/8cb6f2c8-3a5d-411b-8623-dca666ee3c08"
    /> |
    
    ## What Changed
    
    - Changed `current_text_with_pending()` to expand pending pastes through
    the existing element-range based `expand_pending_pastes()` helper
    instead of global string replacement.
    - Added a regression test with two different same-length large pastes to
    ensure both overlapping placeholders expand to their original payloads.
    
    ## How to Test
    
    1. Start Codex TUI.
    2. Paste a large string, for example 1004 `A` characters.
    ```shell
    perl -e 'print "A" x 1004' | pbcopy
    ```
    3. Paste a second large string with the same length, for example 1004
    `B` characters.
    ```shell
    perl -e 'print "B" x 1004' | pbcopy
    ```
    4. Open the external editor from the composer.
    5. Confirm the editor is seeded with the full `A...` payload followed by
    the full `B...` payload, with no literal `#2` left behind.
    
    Targeted tests:
    - `cargo test -p codex-tui
    current_text_with_pending_expands_overlapping_placeholders`
    - `just argument-comment-lint-from-source -p codex-tui`
    
    I also ran `cargo test -p codex-tui`; it reached the full crate suite
    but failed two unrelated local status tests because this machine's
    `/etc/codex/requirements.toml` rejects `DangerFullAccess`.
  • [codex] Fix fork --last cwd filtering (#21089)
    Fixes #20945.
    
    This keeps `codex fork --last` aligned with the neighboring
    latest-session lookup flows. The local fork path now uses the same
    cwd-scope helper as `resume --last`, which is also a small code cleanup
    around how this selection logic is shared.
    
    Credit to @chanwooyang1 for the report and for pointing out the narrow
    fix direction.
    
    What changed:
    - Route `fork --last` through the shared latest-session cwd filter.
    - Preserve `--all` as the explicit opt-in for global latest-session
    selection.
    - Keep remote cwd override behavior unchanged.
    - Add focused coverage for local default, `--all`, and remote override
    filter semantics.
    
    Validation:
    - Ran `just fmt`.
    - Ran `git diff --check`.
    - Reviewed the `fork --last`, `resume --last`, and fork picker selection
    paths against the issue report.
  • [codex] Fix TUI large paste placeholder numbering after Ctrl+C (#21091)
    Fixes #19940.
    
    Large-paste placeholder numbering was backed by a per-size counter, so
    clearing a draft with `Ctrl+C` left numbering state behind even though
    the active pending paste state was gone. This updates the composer to
    derive the next placeholder suffix from active pending pastes instead,
    which keeps simultaneous same-size pastes distinct while letting fresh
    drafts reuse the base label. This is also a small code cleanup: pending
    paste state is now the source of truth instead of maintaining a separate
    counter.
    
    Credit to @Sungyoun-Kim for the issue report, root-cause notes, and fork
    with the proposed fix, and to @charley-oai for the earlier related
    #10032 proposal.
    
    Changes:
    - Remove the monotonic large-paste counter from the composer.
    - Compute suffixes from currently active pending paste placeholders.
    - Document large-paste placeholder behavior in the composer module docs.
    - Add regression coverage for `Ctrl+C` clearing and deletion/reset
    behavior.
    
    Testing:
    - `just fmt`
    - `git diff --check`
  • Validate /goal objective length in TUI (#20746)
    ## Why
    
    Long `/goal` definitions currently reach lower-level goal validation and
    can produce an opaque failure. This bug was reported by a user. Pasted
    instruction blocks are especially confusing because the composer can
    still contain a paste placeholder before expansion, which may otherwise
    fall into the generic prompt-size error path.
    
    There was also a related paste edge case where `/goal ` followed by a
    multiline block whose first pasted line was blank looked like a bare
    `/goal` command. That showed the goal usage/summary instead of setting
    the pasted objective.
    
    ## What Changed
    
    This adds TUI-side preflight validation for `/goal <objective>` using
    the shared `MAX_THREAD_GOAL_OBJECTIVE_CHARS` limit. Oversized typed,
    queued, and pasted goal objectives now fail locally with a goal-specific
    message that recommends putting longer instructions in a file and
    referencing that file from the goal.
    
    The TUI now also lets inline-argument slash commands consume later-line
    arguments before treating the first line as a bare command, so `/goal `
    followed by blank lines and then objective text sets the goal instead of
    opening the bare `/goal` flow.
    
    ## Manual Testing
    
    1. Start the TUI with goals enabled and an active session.
    2. Submit `/goal ` followed by exactly 4,000 objective characters. It
    should continue through the normal goal-setting path.
    3. Submit `/goal ` followed by 4,001 objective characters. It should not
    set a goal, and should show `Goal objective is too long: 4,001
    characters. Limit: 4,000 characters.` followed by the guidance to put
    longer instructions in a file and reference that file from the goal.
    4. Type `/goal `, paste a large block that becomes a `[Pasted Content
    ... chars]` placeholder, then submit. It should validate the expanded
    pasted text and show the goal-specific file guidance rather than the
    generic prompt-size error.
    5. Type `/goal `, paste a multiline block whose first line is blank,
    then submit. It should set the objective from the non-blank pasted
    content instead of showing `Usage: /goal <objective>` or the bare goal
    summary.
    6. While a turn is running, queue an oversized `/goal` command. When the
    queue drains, it should show the same goal-specific error and should not
    emit a goal-setting request.
  • fix(tui): make /copy work inside tmux without passthrough (#20207)
    ## Summary
    - prefer tmux's native clipboard integration for `/copy` when running
    inside tmux
    - fall back to OSC 52 when tmux clipboard copy is unavailable
    - add coverage for tmux-preferred, fallback, and combined-failure paths
    
    ## Why
    Inside tmux, `/copy` previously relied on DCS-wrapped OSC 52 when `TMUX`
    was set. That only reaches the outer terminal when tmux passthrough is
    enabled, so Codex could report success even though the system clipboard
    never changed.
    
    ## User impact
    `/copy` now works inside tmux even when `allow-passthrough` is off, as
    long as tmux clipboard integration is available. If tmux cannot handle
    the copy, Codex still keeps the existing OSC 52 fallback path.
    
    ## Validation
    - `cargo test -p codex-tui`
    - `just fmt`
    - `just fix -p codex-tui`
    - `just argument-comment-lint`
    - manually verified `/copy` inside tmux with `allow-passthrough off`
    
    Fixes #19926
  • 1- Add model service tiers metadata (#20969)
    ## Why
    
    The model list needs to carry display-ready service tier metadata so
    clients can render tier choices with stable IDs, names, and
    descriptions. A raw speed-tier string list is not enough for richer UI
    copy or future tier labels.
    
    ## What changed
    
    - Added `ModelServiceTier` to shared model metadata with string `id`,
    `name`, and `description` fields.
    - Added `service_tiers` to `ModelInfo` and `ModelPreset`, preserving
    empty defaults for older cached model payloads.
    - Exposed `serviceTiers` on app-server v2 `Model` responses and threaded
    it through TUI app-server model conversion.
    - Marked legacy `additional_speed_tiers` / `additionalSpeedTiers`
    metadata as deprecated in source and generated schema output.
    - Regenerated app-server protocol JSON schema and TypeScript fixtures,
    including `ModelServiceTier.ts`.
    
    ## Verification
    
    - Ran `just write-app-server-schema`.
    - Did not run local tests per repo instruction; relying on PR CI.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Add plugin ID to skill analytics (#20923)
    ## Summary
    - thread plugin skill roots through the skills loader with their plugin
    ID
    - store plugin ID on loaded skill metadata for plugin-provided skills
    - include plugin ID on skill invocation analytics events
    
    ## Test plan
    - cargo check -p codex-core-skills
    - cargo check -p codex-core -p codex-core-plugins -p codex-analytics
    - cargo check -p codex-tui
    - cargo check -p codex-plugin -p codex-core -p codex-core-plugins -p
    codex-analytics
    - cargo check -p codex-app-server
    - cargo test -p codex-analytics
    - HOME=/private/tmp/codex-empty-home cargo test -p codex-core-skills
    - just fix -p codex-core-skills
    - just fix -p codex-analytics
    - just fix -p codex-core-plugins
    - just fix -p codex-core
    - just fmt
    - git diff --check
  • [codex] Add unsandboxed process exec API (#19040)
    ## Why
    
    App-server clients sometimes need argv-based local process execution
    while sandbox policy is controlled outside Codex. Those environments can
    reject sandbox-disabling paths before a command ever starts, even when
    the caller intentionally wants unsandboxed execution.
    
    This PR adds a distinct `process/*` API for that use case instead of
    extending `command/exec` with another sandbox-disabling shape. Keeping
    the new surface separate also makes the future removal of `command/exec`
    simpler: clients that need explicit process lifecycle control can move
    to the newer handle-based API without depending on `command/exec`
    business logic.
    
    ## What changed
    
    - Added v2 process lifecycle methods: `process/spawn`,
    `process/writeStdin`, `process/resizePty`, and `process/kill`.
    - Added process notifications: `process/outputDelta` for streamed
    stdout/stderr chunks and `process/exited` for final exit status and
    buffered output.
    - Made `process/spawn` intentionally unsandboxed and omitted
    sandbox-selection fields such as `sandboxPolicy` and
    `permissionProfile`.
    - Added client-supplied, connection-scoped `processHandle` values for
    follow-up control requests and notification routing.
    - Supported cwd, environment overrides, PTY mode and size, stdin
    streaming, stdout/stderr streaming, per-stream output caps, and timeout
    controls.
    - Killed active process sessions when the originating app-server
    connection closes.
    - Wired the implementation through the modular `request_processors/`
    app-server layout, with process-handle request serialization for
    follow-up control calls.
    - Updated generated JSON/TypeScript schema fixtures and documented the
    new API in `codex-rs/app-server/README.md`.
    - Added v2 app-server integration coverage in
    `codex-rs/app-server/tests/suite/v2/process_exec.rs` for spawn
    acknowledgement before exit, buffered output caps, and process
    termination.
    
    ## Verification
    
    - `cargo test -p codex-app-server-protocol`
    - `cargo test -p codex-app-server`
    
    ---------
    
    Co-authored-by: Owen Lin <owen@openai.com>
  • [codex-analytics] add item lifecycle timing (#20514)
    ## Why
    
    Tool families already disagree on what their existing `duration` fields
    mean, so lifecycle latency should live on the shared item envelope
    instead of being inferred from per-tool execution fields. Carrying that
    envelope through app-server notifications gives downstream consumers one
    reusable timing signal without pretending every tool has the same
    execution semantics.
    
    ## What changed
    
    - Adds `started_at_ms` to core `ItemStartedEvent` values and
    `completed_at_ms` to core `ItemCompletedEvent` values.
    - Populates those timestamps in the shared session lifecycle emitters,
    so protocol-native items get timing without each producer tracking its
    own clock state.
    - Exposes `startedAtMs` on app-server `item/started` notifications and
    `completedAtMs` on `item/completed` notifications.
    - Maps the lifecycle timestamps through the app-server boundary while
    leaving legacy-converted notifications nullable when no lifecycle
    timestamp exists.
    - Regenerates the app-server JSON schema and TypeScript fixtures for the
    notification-envelope change and updates downstream fixtures that
    construct those notifications directly.
    - Extends the existing web-search and image-generation integration flows
    to assert the new lifecycle timestamps on the native item events.
    
    ## Verification
    
    - `cargo check -p codex-protocol -p codex-core -p
    codex-app-server-protocol -p codex-app-server -p codex-tui -p codex-exec
    -p codex-app-server-client`
    - `cargo test -p codex-core --test all web_search_item_is_emitted`
    - `cargo test -p codex-core --test all
    image_generation_call_event_is_emitted`
    - `cargo test -p codex-app-server-protocol`
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/20514).
    * #18748
    * #18747
    * #17090
    * #17089
    * __->__ #20514
  • fix(tui): use shared paste burst interval on Windows (#18914)
    ## Summary
    
    Fixes #11678 by removing the Windows-specific
    `PASTE_BURST_CHAR_INTERVAL` override. Windows now uses the same `8ms`
    paste-burst character interval as macOS and Linux, which removes the
    extra per-character hold that made fast typing and key repeat feel
    delayed on Windows.
    
    The paste-burst heuristic itself is unchanged, and the Windows-specific
    active idle timeout remains in place. This PR only restores the shared
    character-to-character burst threshold that decides whether adjacent
    plain character events are part of a paste.
    
    ## Motivation
    
    PR #9348 raised the Windows character interval from `8ms` to `30ms` to
    protect the multiline paste behavior tracked in #2137, where pasted
    newlines could be interpreted as submits in Windows terminals. That
    fixed the paste failure, but it also made ordinary typing visibly laggy
    because the TUI waits briefly before flushing a single typed character
    while it checks whether a paste burst is forming.
    
    The deployed behavior here is to remove that Windows-only delay and
    return to the cross-platform threshold. Manual Windows validation of the
    critical VS Code integrated terminal path shows multiline paste still
    works with the final `8ms` value, including testing on VS Code
    `1.107.0`.
    
    ## Testing
    
    - `cargo test -p codex-tui`
    - Manual Windows validation in VS Code integrated PowerShell with the
    final `8ms` interval
  • fix(tui): support modified backspace/delete keys (#21058)
    ## Why
    
    Fixes #21046.
    
    Codex TUI 0.128.0 can show Backspace/Delete-related editor shortcuts in
    `/keymap`, but Windows-style modified Backspace/Delete events were still
    dropped by the composer because the default editor keymap did not
    include those modified special-key variants. On Windows/CMD this meant
    `Shift+Backspace` and `Shift+Delete` did not fall through to normal
    character deletion, and `Ctrl+Backspace` / `Ctrl+Delete` did not perform
    the word deletion users expect from Windows text inputs.
    
    ## What Changed
    
    - Added default editor bindings for `shift-backspace` and `shift-delete`
    so shifted delete keys keep normal grapheme deletion behavior.
    - Added default editor bindings for `ctrl-backspace`,
    `ctrl-shift-backspace`, `ctrl-delete`, and `ctrl-shift-delete` so
    Windows-style word deletion works when terminals preserve those
    modifiers.
    - Added regression coverage for the resolved default keymap and textarea
    behavior.
    
    ## How to Test
    
    1. Start Codex in the TUI on Windows CMD or another terminal that
    reports modified Backspace/Delete keys distinctly.
    2. Type `hello world` in the composer.
    3. Press `Ctrl+Backspace`; confirm `world` is removed and `hello `
    remains.
    4. Type `world` again, move the cursor before it, then press
    `Ctrl+Delete`; confirm the next word is removed.
    5. Type a few characters and press `Shift+Backspace` and `Shift+Delete`;
    confirm they delete one character in the expected direction instead of
    doing nothing.
    6. Open `/keymap`, inspect the Editor deletion actions, and confirm the
    modified Backspace/Delete aliases are visible as configurable defaults.
    
    Targeted tests:
    - `cargo test -p codex-tui keymap::tests`
    - `cargo test -p codex-tui bottom_pane::textarea::tests`
    - `cargo test -p codex-tui keymap_setup::tests`
  • feat(tui): improve TUI keymap coverage (#20798)
    ## Summary
    - normalize terminal-emitted C0 control characters through configurable
    editor keymaps, covering raw control-key fallbacks like
    Shift+Enter-as-LF in terminals from #20555 and #20898, plus part of the
    modified-Enter behavior in #20580
    - add default-unbound keymap actions for toggling Fast mode and killing
    the current composer line, giving #20698 users a configurable zsh-style
    Ctrl+U option without changing the existing default Ctrl+U behavior
    - wire the new actions through gated /keymap picker entries, schema
    generation, and snapshot coverage
    
    Fixes #20555.
    Fixes #20898.
    
    ## Testing
    - just write-config-schema
    - just fmt
    - cargo test -p codex-config
    - cargo test -p codex-tui keymap::tests
    - cargo test -p codex-tui bottom_pane::textarea::tests
    - cargo test -p codex-tui keymap_setup::tests
    - cargo insta pending-snapshots
    - just fix -p codex-tui
    - git diff --check
    - just argument-comment-lint
  • feat(tui): add PR summary statusline items (#20892)
    ## Why?
    
    The Codex App already exposes branch and PR context in its
    branch-details UI. This brings the same context into the CLI footer as
    opt-in statusline items, so users can choose the extra signal without
    making the default footer busier.
    
    ## What?
    
    Add optional `pull-request-number` and `branch-changes` items to the
    configurable TUI status line.
    
    - `pull-request-number` shows the open PR for the current checkout and
    renders as a clickable terminal hyperlink when OSC 8 links are
    supported.
    - `branch-changes` shows committed additions/deletions against the
    repository default branch, or `No changes` when the branch has no
    committed diff.
    
    <img width="1257" height="261" alt="CleanShot 2026-05-03 at 20 44 15"
    src="https://github.com/user-attachments/assets/10b4380b-c3e9-4729-9ee1-3f742068fa47"
    />
    
    ## Architecture
    
    This follows the same client/app-server split as the Codex App: the TUI
    owns presentation, caching, and optional rendering, while
    workspace-sensitive `git` and `gh` discovery runs through app-server.
    
    The new TUI-local `workspace_command` layer sends bounded,
    non-interactive `command/exec` requests to the active app-server. That
    makes the implementation remote-friendly: the TUI does not decide
    whether commands run in an embedded local workspace or a remote
    workspace, and it does not bypass app-server sandbox or permission
    policy.
    
    The branch summary logic stays internal to `codex-tui` because this PR
    only needs TUI statusline behavior. The command boundary is still
    isolated behind `WorkspaceCommandExecutor`, so the lookup code can be
    lifted or reused later without changing statusline rendering.
    
    ## How?
    
    - Add a TUI `WorkspaceCommandExecutor` abstraction backed by app-server
    `command/exec`.
    - Add branch summary probes for:
      - current branch name,
      - open PR metadata,
      - committed branch diff stats against the default branch.
    - Prefer remote-tracking default branch refs for diff stats, avoiding
    stale or absent local `main` branches.
    - Resolve PRs with `gh pr view` first, then fall back to
    commit-associated PR lookup across parent/fork repos.
    - Add `/statusline` picker entries, preview values, rendering, and OSC 8
    clickable PR links.
    - Keep all probes best-effort so missing `git`, missing `gh`, auth
    failures, or non-git directories hide optional items instead of
    surfacing footer errors.
    
    ## Validation
    
    - `cargo test -p codex-tui branch_summary -- --nocapture`
    - Snapshot coverage for the `/statusline` preview/setup rendering paths
    - Hyperlink rendering coverage for clickable PR statusline cells
  • state: pass state db handles through consumers (#20561)
    ## Why
    
    SQLite state was still being opened from consumer paths, including lazy
    `OnceCell`-backed thread-store call sites. That let one process
    construct multiple state DB connections for the same Codex home, which
    makes SQLite lock contention and `database is locked` failures much
    easier to hit.
    
    State DB lifetime should be chosen by main-like entrypoints and tests,
    then passed through explicitly. Consumers should use the supplied
    `Option<StateDbHandle>` or `StateDbHandle` and keep their existing
    filesystem fallback or error behavior when no handle is available.
    
    The startup path also needs to keep the rollout crate in charge of
    SQLite state initialization. Opening `codex_state::StateRuntime`
    directly bypasses rollout metadata backfill, so entrypoints should
    initialize through `codex_rollout::state_db` and receive a handle only
    after required rollout backfills have completed.
    
    ## What Changed
    
    - Initialize the state DB in main-like entrypoints for CLI, TUI,
    app-server, exec, MCP server, and the thread-manager sample.
    - Pass `Option<StateDbHandle>` through `ThreadManager`,
    `LocalThreadStore`, app-server processors, TUI app wiring, rollout
    listing/recording, personality migration, shell snapshot cleanup,
    session-name lookup, and memory/device-key consumers.
    - Remove the lazy local state DB wrapper from the thread store so
    non-test consumers use only the supplied handle or their existing
    fallback path.
    - Make `codex_rollout::state_db::init` the local state startup path: it
    opens/migrates SQLite, runs rollout metadata backfill when needed, waits
    for concurrent backfill workers up to a bounded timeout, verifies
    completion, and then returns the initialized handle.
    - Keep optional/non-owning SQLite helpers, such as remote TUI local
    reads, as open-only paths that do not run startup backfill.
    - Switch app-server startup from direct
    `codex_state::StateRuntime::init` to the rollout state initializer so
    app-server cannot skip rollout backfill.
    - Collapse split rollout lookup/list APIs so callers use the normal
    methods with an optional state handle instead of `_with_state_db`
    variants.
    - Restore `getConversationSummary(ThreadId)` to delegate through
    `ThreadStore::read_thread` instead of a LocalThreadStore-specific
    rollout path special case.
    - Keep DB-backed rollout path lookup keyed on the DB row and file
    existence, without imposing the filesystem filename convention on
    existing DB rows.
    - Verify readable DB-backed rollout paths against `session_meta.id`
    before returning them, so a stale SQLite row that points at another
    thread's JSONL falls back to filesystem search and read-repairs the DB
    row.
    - Keep `debug prompt-input` filesystem-only so a one-off debug command
    does not initialize or backfill SQLite state just to print prompt input.
    - Keep goal-session test Codex homes alive only in the goal-specific
    helper, rather than leaking tempdirs from the shared session test
    helper.
    - Update tests and call sites to pass explicit state handles where DB
    behavior is expected and explicit `None` where filesystem-only behavior
    is intended.
    
    ## Validation
    
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo check -p
    codex-rollout -p codex-thread-store -p codex-app-server -p codex-core -p
    codex-tui -p codex-exec -p codex-cli --tests`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p
    codex-rollout state_db_`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p
    codex-rollout find_thread_path`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p
    codex-rollout find_thread_path -- --nocapture`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p
    codex-rollout try_init_ -- --nocapture`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p
    codex-rollout`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo clippy -p
    codex-rollout --lib -- -D warnings`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p
    codex-thread-store
    read_thread_falls_back_when_sqlite_path_points_to_another_thread --
    --nocapture`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p
    codex-thread-store`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p codex-core
    shell_snapshot`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p codex-core
    --test all personality_migration`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p codex-core
    --test all rollout_list_find`
    - `RUST_MIN_STACK=8388608 CODEX_SKIP_VENDORED_BWRAP=1
    CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p codex-core
    --test all rollout_list_find::find_prefers_sqlite_path_by_id --
    --nocapture`
    - `RUST_MIN_STACK=8388608 CODEX_SKIP_VENDORED_BWRAP=1
    CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p codex-core
    --test all rollout_list_find -- --nocapture`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p codex-core
    interrupt_accounts_active_goal_before_pausing`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p
    codex-app-server get_auth_status -- --test-threads=1`
    - `CODEX_SKIP_VENDORED_BWRAP=1
    CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo test -p
    codex-app-server --lib`
    - `CODEX_SKIP_VENDORED_BWRAP=1
    CARGO_TARGET_DIR=/tmp/codex-target-state-db cargo check -p codex-rollout
    -p codex-app-server --tests`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db just fix -p codex-rollout
    -p codex-thread-store -p codex-core -p codex-app-server -p codex-tui -p
    codex-exec -p codex-cli`
    - `CODEX_SKIP_VENDORED_BWRAP=1
    CARGO_TARGET_DIR=/tmp/codex-target-state-db just fix -p codex-rollout -p
    codex-app-server`
    - `CARGO_TARGET_DIR=/tmp/codex-target-state-db just fix -p
    codex-rollout`
    - `CODEX_SKIP_VENDORED_BWRAP=1
    CARGO_TARGET_DIR=/tmp/codex-target-state-db just fix -p codex-core`
    - `just argument-comment-lint -p codex-core`
    - `just argument-comment-lint -p codex-rollout`
    
    Focused coverage added in `codex-rollout`:
    
    - `recorder::tests::state_db_init_backfills_before_returning` verifies
    the rollout metadata row exists before startup init returns.
    - `state_db::tests::try_init_waits_for_concurrent_startup_backfill`
    verifies startup waits for another worker to finish backfill instead of
    disabling the handle for the process.
    -
    `state_db::tests::try_init_times_out_waiting_for_stuck_startup_backfill`
    verifies startup does not hang indefinitely on a stuck backfill lease.
    -
    `tests::find_thread_path_accepts_existing_state_db_path_without_canonical_filename`
    verifies DB-backed lookup accepts valid existing rollout paths even when
    the filename does not include the thread UUID.
    -
    `tests::find_thread_path_falls_back_when_db_path_points_to_another_thread`
    verifies DB-backed lookup ignores a stale row whose existing path
    belongs to another thread and read-repairs the row after filesystem
    fallback.
    
    Focused coverage updated in `codex-core`:
    
    - `rollout_list_find::find_prefers_sqlite_path_by_id` now uses a
    DB-preferred rollout file with matching `session_meta.id`, so it still
    verifies that valid SQLite paths win without depending on stale/empty
    rollout contents.
    
    `cargo test -p codex-app-server thread_list_respects_search_term_filter
    -- --test-threads=1 --nocapture` was attempted locally but timed out
    waiting for the app-server test harness `initialize` response before
    reaching the changed thread-list code path.
    
    `bazel test //codex-rs/thread-store:thread-store-unit-tests
    --test_output=errors` was attempted locally after the thread-store fix,
    but this container failed before target analysis while fetching `v8+`
    through BuildBuddy/direct GitHub. The equivalent local crate coverage,
    including `cargo test -p codex-thread-store`, passes.
    
    A plain local `cargo check -p codex-rollout -p codex-app-server --tests`
    also requires system `libcap.pc` for `codex-linux-sandbox`; the
    follow-up app-server check above used `CODEX_SKIP_VENDORED_BWRAP=1` in
    this container.
  • tui: retire /approvals and rename /autoreview to /approve (#21034)
    ## Why
    
    The TUI currently exposes overlapping command names for the same
    permissions flow: `/permissions` and the older `/approvals` alias. It
    also uses `/autoreview` for the manual retry flow, even though the
    action users take there is approving one denied auto-review request.
    
    This change makes the command surface consistent with the hard rebrand:
    - `/permissions` is the only command for permission settings.
    - `/approve` is the command for approving a recent auto-review denial.
    
    ## What changed
    
    - Removed the legacy `/approvals` slash command and its dispatch path.
    - Kept `/permissions` as the single permissions command shown and
    accepted by the TUI.
    - Renamed the auto-review denial command from `/autoreview` to
    `/approve`.
    - Updated nearby comments so they refer to `/permissions` rather than
    the retired `/approvals` name.
    
    ## Verification
    
    - Updated the slash-command unit test to assert that `AutoReview` now
    renders and parses as `approve`.
  • feat(tui): add keymap debug inspector (#20794)
    ## Why
    
    We constantly get bug reports about keys not being recognized by Codex
    when the terminal is not handling the key press. Running `/keymap debug`
    or `/keymap` and going to the Debug tab, we can allow the user to either
    understand that the key being pressed is not being recognized or to
    check what it's being recognized as and report or reassign that key.
    
    | Menu | Inspector | Hint |
    |---|---|---|
    | <img width="1369" height="796" alt="CleanShot 2026-05-02 at 12 57 12"
    src="https://github.com/user-attachments/assets/512b6faa-344e-4aee-9c00-b4bdc633a662"
    /> | <img width="1261" height="754" alt="CleanShot 2026-05-02 at 12 56
    36"
    src="https://github.com/user-attachments/assets/a6ddae7d-e174-4ee4-893f-e6bec4fff4ab"
    /> | <img width="1369" height="796" alt="CleanShot 2026-05-02 at 12 57
    30"
    src="https://github.com/user-attachments/assets/db507784-f40a-4cff-ac23-a61d9703769b"
    /> |
    ## Summary
    - add a Debug tab to `/keymap` and support `/keymap debug` for direct
    access
    - show what key Codex receives, the config key representation, raw event
    details, and matching actions
    - add a progressive missing-key hint that escalates after a few seconds
    with no detected keypress
    
    ## Validation
    - `just fmt`
    - `cargo test -p codex-tui keymap_setup::tests::debug_view`
    - `cargo test -p codex-tui keymap_setup::tests`
    - `cargo test -p codex-tui slash_keymap`
    - `cargo test -p codex-tui` (unit tests passed; integration test
    `suite::model_availability_nux::resume_startup_does_not_consume_model_availability_nux_count`
    failed locally by itself with `codex resume` exiting 1 and terminal
    probe escape output)
    - `just fix -p codex-tui`
    - `just argument-comment-lint`
    - `cargo insta pending-snapshots`
    - `git diff --check`
  • Speed up /side parent restore replay (#20815)
    ## Why
    
    Returning from a `/side` conversation restores the parent thread by
    replaying its snapshot into the TUI. For very long parent threads,
    replaying every transcript row can take noticeable time even though most
    rows immediately scroll out of terminal history.
    
    ## What Changed
    
    - Buffer thread-switch replay for parent restores when terminal resize
    reflow is enabled.
    - Reuse the existing resize-reflow tail renderer so only the retained
    transcript tail is written back to scrollback when a row cap is
    configured.
  • Keep paused goals paused on thread resume (#20790)
    ## Summary
    
    Early adopters of the `/goal` feature have provided feedback that they
    expect a goal they explicitly paused to remain paused when they resume a
    thread. Previously, resuming a thread would reactivate a paused goal.
    
    This PR keeps persisted goal status unchanged during thread resume. This
    honors the user feedback while also simplifying the core goal logic.
    
    Rather than have the core logic automatically resume a paused goal, that
    responsibility is transferred to the client. The TUI now detects a
    resumed thread with a paused goal and asks the user whether to `Resume
    goal` or `Leave paused`. The prompt appears only for quiet resume flows,
    so users who resume with an immediate prompt are not interrupted.
    
    <img width="544" height="111" alt="image"
    src="https://github.com/user-attachments/assets/0ac9de1c-6ee6-47ba-b223-c03c8eb4c192"
    />
  • fix(tui): bound startup terminal probes (#20654)
    ## Summary
    
    Bound TUI startup terminal response probes so unsupported terminals
    cannot stall startup for multiple seconds.
    
    This replaces the Unix startup uses of crossterm's blocking response
    probes with short `/dev/tty` probes that use nonblocking reads and
    `poll` with a 100ms timeout. It covers the initial cursor-position
    query, keyboard enhancement support detection, and OSC 10/11
    default-color detection. The default-color probe uses one shared
    deadline for foreground and background instead of allowing two
    independent full waits.
    
    The diagnostic mode/trace env vars from the investigation branch are
    intentionally not included. The shipped behavior is simply bounded
    probing by default, while non-Unix keeps the existing crossterm fallback
    path.
    
    ## Details
    
    - Add a private `terminal_probe` module for bounded Unix terminal probes
    and response parsers.
    - Let `custom_terminal::Terminal` accept a caller-provided initial
    cursor position so startup can compute it before constructing the
    terminal.
    - Use bounded cursor, keyboard enhancement, and default-color probes on
    Unix startup.
    - Preserve default-color cache behavior so a failed attempted query does
    not retry forever.
    
    ## Validation
    
    - `cd codex-rs && just fmt`
    - `cd codex-rs && cargo test -p codex-tui terminal_probe`
    - `cd codex-rs && just fix -p codex-tui`
    - `cd codex-rs && just argument-comment-lint`
    - `git diff --check`
    - `git diff --cached --check`
    
    `cd codex-rs && cargo test -p codex-tui` still aborts on the
    pre-existing local stack overflow in
    `app::tests::discard_side_thread_keeps_local_state_when_server_close_fails`;
    I reproduced that same focused failure on `main` before this PR work, so
    it is not introduced by this change.
    
    Manual validation in the VM showed the original crossterm path taking
    about 2s per unanswered probe, while bounded probing returned in about
    100ms per probe.
  • Clear live hook rows when turns finalize (#20674)
    # Why
    
    When a user interrupts a turn while a hook is still running, the normal
    turn status is cleared but the separate live hook row can remain visible
    as `Running` because the TUI may never receive a matching
    `HookCompleted` event before cancellation. Once the turn itself is
    finalized, that turn-scoped live state should not remain on screen.
    
    # What
    
    - clear any still-live `active_hook_cell` during turn finalization
    - add a regression snapshot covering an interrupted turn with a visible
    `PreToolUse` hook row
    
    # Testing
    
    - `cargo test -p codex-tui interrupted_turn_clears_visible_running_hook`
    - attempted `cargo test -p codex-tui` (currently aborts on unrelated
    existing stack overflow in
    `app::tests::discard_side_thread_removes_agent_navigation_entry`)
  • /plugins: add marketplace upgrade flow (#20478)
    This PR adds marketplace upgrade to the `/plugins` menu so users can
    update configured marketplaces. It adds a `Ctrl+U` shortcut on eligible
    marketplace tabs, a loading state, and the app-server request flow
    needed to perform `marketplace/upgrade`. After a successful upgrade, the
    TUI refreshes plugin data, plugin mentions, and user config so updated
    marketplace contents show up across the menu and other plugin surfaces.
    It also preserves the current marketplace tab on no-op and failure paths
    and surfaces backend error details directly in the TUI.
    
    - Add a `Ctrl+U` upgrade option for user-configured marketplace tabs in
    `/plugins`
    - Show the upgrade footer hint only on upgradeable marketplace tabs
    - Show a loading state during `marketplace/upgrade`
    - Surface already-up-to-date and per-marketplace failure results from
    the backend
    - Refresh plugin data, plugin mentions, and user config after successful
    upgrades
    - Add tests and snapshot updates for the shortcut flow, loading state,
    and failure messaging
    
    Steps to test:
    1. Add a `/plugin` marketplace to Codex TUI.
    2. Open `/plugins`, move to that marketplace tab, and confirm the footer
    shows `Ctrl+U` to upgrade.
    3. Press `Ctrl+U` and confirm the popup switches into an upgrade loading
    state.
    4. When the request finishes, confirm you see the expected result:
    updated marketplace contents on success, an already-up-to-date message
    on no-op, or backend error details on failure. On no-op or failure,
    confirm the popup stays on the same marketplace tab.
  • fix(tui): restore alt-enter newline alias (#20535)
    Fixes https://github.com/openai/codex/issues/20501
    
    ## Summary
    - add Alt+Enter to the built-in editor newline aliases
    - update keymap tests that used Alt+Enter as a custom submit binding now
    that it conflicts with newline
    - refresh the keymap action-menu snapshot fixture
    
    ## Test Plan
    - `just fmt`
    - `cargo test -p codex-tui keymap::tests`
    - `cargo test -p codex-tui bottom_pane::textarea::tests`
    - `cargo test -p codex-tui keymap_setup::tests`
    - `cargo test -p codex-tui`
    - `cargo insta pending-snapshots`
    - `git diff --check`
    - `just argument-comment-lint`
  • Add /ide context support to the TUI (#20294)
    ## Why
    
    Users have asked for a `/ide` command in the TUI so Codex can use the
    active IDE session for live context such as the current file, open tabs,
    and selected ranges. We already support a similar feature in the Codex
    desktop app, so bringing it to the TUI makes sense.
    
    One subtle compatibility constraint is that the injected prompt wrapper
    and transcript stripping should match the desktop app and IDE extension.
    By using the same `## My request for Codex:` delimiter and hiding the
    injected context from transcript rendering the same way, threads created
    in the TUI render correctly in desktop and IDE surfaces, and threads
    created there replay correctly in the TUI, even when IDE context was
    included.
    
    Addresses https://github.com/openai/codex/issues/13834.
    
    ## What changed
    ### Summary
    This PR consists of four four pieces:
    1. An IPC client that uses a socket (Mac/Linux) or named pipe (Windows)
    to talk to the IDE Extension
    2. Logic that establishes the IPC connection and requests IDE context
    (open files, selection) on demand
    3. Logic that injects this context into the user prompt (using the same
    technique as the desktop app) and hides the added context when rendering
    the prompt in the TUI transcript
    4. A new slash command for enabling/disabling this mode and text within
    the footer to indicate when it's enabled
    
    ### Details
    - Added `/ide [on|off|status]` to the TUI, with bare `/ide` toggling IDE
    context on or off.
    - Added a Rust IDE context client that connects to the local Codex IDE
    IPC route as a client and requests context from the IDE extension flow.
    - Injected IDE context using the same prompt delimiter and
    transcript-stripping convention as the desktop app and IDE extension so
    shared threads render consistently across surfaces.
    - Added an `IDE context` status-line indicator while the feature is
    active and cleared it when enabling or fetching context fails.
    - Added handling for multiple selection ranges, oversized selections,
    interleaved IPC messages, and transient reconnect timing after quick
    toggles.
    
    ## Verification
    
    Did extensive manual testing in addition to running automated unit and
    regression tests.
    
    To test:
    
    - Launch VS Code (or Cursor) with the IDE extension.
    - Open one or more files in the IDE and select a range of text within
    one of them.
    - Start the TUI.
    - Ask the agent which files you have open in your IDE, and it should say
    that it does not know.
    - Enable `/ide` mode; note that `IDE context` appears in the lower
    right.
    - Ask the agent what files you have open in your IDE and what text is
    selected.
  • Enforce animations = false for screen readers (#20564)
    ## Why
    
    Issue #20489 calls out that animated TUI affordances can be noisy for
    screen-reader users. Codex already has `tui.animations = false` as a
    reduced-motion setting, but some live activity rows render spinner-style
    prefixes in that mode. These were relatively recent regressions.
    
    We have also regressed this pattern more than once by adding new
    spinner/shimmer callsites that do not think through the reduced-motion
    path, so this PR adds a small guardrail while fixing the current
    surfaces.
    
    ## What changed
    
    - Omit the live status-row spinner when animations are disabled, so the
    row starts with stable text like `Working (...)`.
    - Render running hook headers without the spinner prefix when animations
    are disabled, while preserving shimmer/spinner behavior when animations
    are enabled.
    - Centralize TUI activity indicators in `tui/src/motion.rs`, with
    explicit reduced-motion choices for hidden prefixes, static bullets, and
    plain shimmer-text fallbacks.
    - Route existing spinner/shimmer callsites through the central motion
    helper, including exec rows, MCP/web-search/loading rows, hook rows,
    plugin loading, and onboarding loading text.
    - Add a source-scan regression test that rejects direct `spinner(...)`
    or `shimmer_spans(...)` usage outside the central module and primitive
    definition.
    - Add focused coverage that reduced-motion active exec rows are stable,
    status rows start without a spinner, running hooks omit the spinner, and
    MCP inventory loading stays stable.
    - Update the one affected status-indicator snapshot; the existing detail
    tree prefix remains unchanged.
    
    ## Verification
    
    - `cargo test -p codex-tui`
  • feat: export and replay effective config locks (#20405)
    ## Why
    
    For reproducibility. A hand-written `config.toml` is not enough to
    recreate what a Codex session actually ran with because layered config,
    CLI overrides, defaults, feature aliases, resolved feature config,
    prompt setup, and model-catalog/session values can all affect the final
    runtime behavior.
    
    This PR adds an effective config lockfile path: one run can export the
    resolved session config, and a later run can replay that lockfile and
    fail early if the regenerated effective config drifts.
    
    ## What Changed
    
    - Add a dedicated `ConfigLockfileToml` wrapper with top-level lockfile
    metadata plus the replayable config:
    
      ```toml
      version = 1
      codex_version = "..."
    
      [config]
      # effective ConfigToml fields
      ```
    
    - Keep lockfile metadata out of regular `ConfigToml`; replay loads
    `ConfigLockfileToml` and then uses its nested `config` as the
    authoritative config layer.
    - Add `debug.config_lockfile.export_dir` to write
    `<thread_id>.config.lock.toml` when a root session starts.
    - Add `debug.config_lockfile.load_path` to replay a saved lockfile and
    validate the regenerated session lockfile against it.
    - Add `debug.config_lockfile.allow_codex_version_mismatch` to optionally
    tolerate Codex binary version drift while still comparing the rest of
    the lockfile.
    - Add `debug.config_lockfile.save_fields_resolved_from_model_catalog` so
    lock creation can either save model-catalog/session-resolved fields or
    intentionally leave those fields dynamic.
    - Build lockfiles from the effective config plus resolved runtime values
    such as model selection, reasoning settings, prompts, service tier, web
    search mode, feature states/config, memories config, skill instructions,
    and agent limits.
    - Materialize feature aliases and custom feature config into the
    lockfile so replay compares canonical resolved behavior instead of
    user-authored alias shape.
    - Strip profile/debug/file-include/environment-specific inputs from
    generated lockfiles so they contain replayable values rather than the
    inputs that produced those values.
    - Surface JSON-RPC server error code/data in app-server client and TUI
    bootstrap errors so config-lock replay failures include the actual TOML
    diff.
    - Regenerate the config schema for the new debug config keys.
    
    ## Review Notes
    
    The main flow is split across these files:
    
    - `config/src/config_toml.rs`: lockfile/debug TOML shapes.
    - `core/src/config/mod.rs`: loading `debug.config_lockfile.*`, replaying
    a lockfile as a config layer, and preserving the expected lockfile for
    validation.
    - `core/src/session/config_lock.rs`: exporting the current session
    lockfile and materializing resolved session/config values.
    - `core/src/config_lock.rs`: lockfile parsing, metadata/version checks,
    replay comparison, and diff formatting.
    
    ## Usage
    
    Export a lockfile from a normal session:
    
    ```sh
    codex -c 'debug.config_lockfile.export_dir="/tmp/codex-locks"'
    ```
    
    Export a lockfile without saving model-catalog/session-resolved fields:
    
    ```sh
    codex -c 'debug.config_lockfile.export_dir="/tmp/codex-locks"' \
      -c 'debug.config_lockfile.save_fields_resolved_from_model_catalog=false'
    ```
    
    Replay a saved lockfile in a later session:
    
    ```sh
    codex -c 'debug.config_lockfile.load_path="/tmp/codex-locks/<thread_id>.config.lock.toml"'
    ```
    
    If replay resolves to a different effective config, startup fails with a
    TOML diff.
    
    To tolerate Codex binary version drift during replay:
    
    ```sh
    codex -c 'debug.config_lockfile.load_path="/tmp/codex-locks/<thread_id>.config.lock.toml"' \
      -c 'debug.config_lockfile.allow_codex_version_mismatch=true'
    ```
    
    ## Limitations
    
    This does not support custom rules/network policies.
    
    ## Verification
    
    - `cargo test -p codex-core config_lock`
    - `cargo test -p codex-config`
    - `cargo test -p codex-thread-manager-sample`
  • Color TUI statusline from active theme (#19631)
    ## Why
    
    Users have shared that the TUI can feel too visually flat because themes
    mostly show up in code syntax highlighting. The configurable statusline
    is a natural place to make the active theme more visible, while still
    letting users keep the existing monotone statusline if they prefer it.
    
    ## What Changed
    
    - Added a statusline styling helper that builds the rendered statusline
    from `(StatusLineItem, text)` segments, preserving item identity while
    keeping the plain text output unchanged.
    - Derived foreground accent colors from the active syntax theme by
    looking up TextMate scopes through the existing syntax highlighter, with
    conservative ANSI fallbacks when a scope does not provide a foreground.
    - Tuned theme-derived colors to keep the accents visible without making
    the statusline feel overly bright.
    - Added `[tui].status_line_use_colors`, defaulting to `true`, plus a
    separated `/statusline` toggle so users can enable or disable
    theme-derived statusline colors from the setup UI.
    - Updated the live statusline and `/statusline` preview to use the same
    styled builder, while keeping terminal-title preview text plain.
    - Kept statusline separators and active-agent add-ons subdued while
    removing blanket dimming from the whole passive statusline.
    
    ## Verification
    
    - `cargo test -p codex-tui status_line`
    - `cargo test -p codex-tui theme_picker`
    - `cargo test -p codex-tui foreground_style_for_scopes`
    - `cargo test -p codex-tui`
    - `cargo test -p codex-config`
    - `cargo test -p codex-core status_line_use_colors`
    - `cargo insta pending-snapshots --manifest-path tui/Cargo.toml`
    
    ## Visual
    
    <img width="369" height="23" alt="Screenshot 2026-04-30 at 6 16 08 PM"
    src="https://github.com/user-attachments/assets/11d03efb-8e4f-4450-8f4d-00a9659ef4cd"
    />
    
    <img width="385" height="23" alt="Screenshot 2026-04-30 at 6 16 02 PM"
    src="https://github.com/user-attachments/assets/a3d89f36-bdc1-42e8-8e84-61350e3999e2"
    />
  • Format multi-day goal durations in the TUI (#20558)
    ## Why
    
    Goal mode shows elapsed time in compact hour/minute form. That is easy
    to scan for shorter runs, but once a goal runs past 24 hours, large hour
    counts become harder to read at a glance.
    
    ## What changed
    
    Updated `codex-rs/tui/src/goal_display.rs` so unbudgeted goal elapsed
    time keeps the existing compact format below one day, then switches to a
    day-aware format once the elapsed time reaches 24 hours:
    
    - `23h 59m`
    - `1d 0h 0m`
    - `2d 23h 42m`
    
    The formatter now covers the 24-hour boundary in unit tests, and the TUI
    status-line snapshot for a completed elapsed goal now exercises the
    multi-day display.
    
    ## Verification
    
    - `cargo test -p codex-tui`
    
    Here's my longest-running test task:
    
    <img width="186" height="23" alt="image"
    src="https://github.com/user-attachments/assets/cedfcdab-7f6e-44e6-8495-8a39f63973fb"
    />
  • Make thread store process-scoped (#19474)
    - Build one app-server process ThreadStore from startup config and share
    it with ThreadManager and CodexMessageProcessor.
    - Remove per-thread/fork store reconstruction so effective thread config
    cannot switch the persistence backend.
    - Add params to ThreadStore create/resume for specifying thread
    metadata, since otherwise the metadata from store creation would be used
    (incorrectly).
  • [codex] Remove unused event messages (#20511)
    ## Why
    
    Several legacy `EventMsg` variants were still emitted or mapped even
    though clients either ignored them or had moved to item/lifecycle
    events. `Op::Undo` had also degraded to an unavailable shim, so this
    removes that dead task path instead of preserving a command that cannot
    do useful work.
    
    `McpStartupComplete`, `WebSearchBegin`, and `ImageGenerationBegin` are
    intentionally kept because useful consumers still depend on them: MCP
    startup completion drives readiness behavior, and the begin events let
    app-server/core consumers surface in-progress web-search and
    image-generation items before the final payload arrives.
    
    ## What Changed
    
    - Removed weak legacy event variants and payloads from `codex-protocol`,
    including legacy agent deltas, background events, and undo lifecycle
    events.
    - Kept/restored `EventMsg::McpStartupComplete`,
    `EventMsg::WebSearchBegin`, and `EventMsg::ImageGenerationBegin` with
    serializer and emission coverage.
    - Updated core, rollout, MCP server, app-server thread history,
    review/delegate filtering, and tests to rely on the useful replacement
    events that remain.
    - Removed `Op::Undo`, `UndoTask`, the undo test module, and stale TUI
    slash-command comments.
    - Stopped agent job/background progress and compaction retry notices
    from emitting `BackgroundEvent` payloads.
    
    ## Verification
    
    - `cargo check -p codex-protocol -p codex-app-server-protocol -p
    codex-core -p codex-rollout -p codex-rollout-trace -p codex-mcp-server`
    - `cargo test -p codex-protocol -p codex-app-server-protocol -p
    codex-rollout -p codex-rollout-trace -p codex-mcp-server`
    - `cargo test -p codex-core --test all suite::items`
    - `just fix -p codex-protocol -p codex-app-server-protocol -p codex-core
    -p codex-rollout -p codex-rollout-trace -p codex-mcp-server`
    - Earlier coverage on this PR also included `codex-mcp`, `codex-tui`,
    core library tests, MCP/plugin/delegate/review/agent job tests, and MCP
    startup TUI tests.
  • Surface admin-disabled remote plugin status (#20298)
    ## Summary
    
    Remote plugin-service returns plugin availability separately from a
    user's installed/enabled state. This adds `PluginAvailabilityStatus` to
    the app-server protocol, propagates remote catalog `status` into
    `PluginSummary`, and rejects install attempts for remote plugins marked
    `DISABLED_BY_ADMIN` before downloading or caching the bundle.
    
    This is the `openai/codex` half of the change. The companion
    `openai/openai` webview PR is
    https://github.com/openai/openai/pull/873269.
    
    ## Validation
    
    - `cargo run -p codex-app-server-protocol --bin write_schema_fixtures`
    - `cargo test -p codex-app-server --test all
    plugin_list_marks_remote_plugin_disabled_by_admin`
    - `cargo test -p codex-app-server --test all
    plugin_list_includes_remote_marketplaces_when_remote_plugin_enabled`
    - `cargo test -p codex-app-server --test all
    plugin_install_rejects_remote_plugin_disabled_by_admin_before_download`
    - `cargo test -p codex-app-server-protocol schema_fixtures`
  • feat(tui): add vim composer mode (#18595)
    ## Why
    
    Codex now has configurable TUI keymaps, but the composer still behaves
    like a plain text field. Users who prefer modal editing need a way to
    keep Vim muscle memory while drafting prompts, and the keymap picker
    needs to expose Vim-specific actions if those bindings are configurable
    instead of hardcoded.
    
    ## What Changed
    
    - Adds composer Vim mode with insert/normal state, common normal-mode
    movement and editing commands, `d`/`y` operator-pending flows, and
    mode-aware footer and cursor indicators.
    - Adds `/vim`, an optional global `toggle_vim_mode` binding, and
    `tui.vim_mode_default` so Vim mode can be toggled per session or enabled
    as the default composer state.
    - Extends runtime and config keymaps with `vim_normal` and
    `vim_operator` contexts, exposes those contexts in `/keymap`, refreshes
    the config schema, and validates Vim bindings separately.
    - Integrates Vim normal mode with existing composer behavior: `/` opens
    slash command entry, `!` enters shell mode, `j`/`k` navigate history at
    history boundaries, successful submissions reset back to normal mode,
    and paste burst handling remains insert-mode only.
    - Teaches the TUI render path to apply and restore cursor style so Vim
    insert mode can use a bar cursor without leaving the terminal in that
    state after exit.
    
    ## Validation
    
    - `cargo test -p codex-tui keymap -- --nocapture` on the keymap/Vim
    coverage
    - `cargo insta pending-snapshots`
    
    ## Docs
    
    This introduces user-facing `/vim`, `tui.vim_mode_default`, and Vim
    keymap contexts under `tui.keymap`, so the public CLI configuration and
    slash-command docs should be updated before the feature ships.
  • fix(tui): set persist_extended_history: false (#20502)
    Large rollouts are no good. This updates the TUI to behave the same as
    the Codex App, which is also turning it off.
  • fix: show correct Bedrock runtime endpoint in /status (#20275)
    ## Why
    
    `/status` was showing the configured `ModelProviderInfo.base_url` for
    Amazon Bedrock, which can be stale or misleading because the actual
    Bedrock Mantle endpoint is derived at runtime from the resolved AWS
    region. This made sessions report the wrong provider endpoint even
    though requests used the correct runtime URL.
    
    ## What changed
    
    - Added `ModelProvider::runtime_base_url()` so provider implementations
    can expose the request-time base URL through the shared runtime provider
    abstraction.
    - Moved Bedrock region-to-Mantle URL resolution into
    `amazon_bedrock::mantle::runtime_base_url()`, keeping region resolution
    private to the Mantle module.
    - Overrode `runtime_base_url()` for Amazon Bedrock so it returns the
    resolved Mantle endpoint instead of the configured default.
    - Resolved and cached the runtime provider base URL during TUI startup,
    then used that cached value when rendering `/status`.
    - Added status coverage that verifies Bedrock displays the runtime URL
    and ignores the configured Bedrock `base_url` when they differ.
    
    ## Verification
    model provider is resolved correctly in local build:
    <img width="696" height="245" alt="Screenshot 2026-04-29 at 5 01 36 PM"
    src="https://github.com/user-attachments/assets/a13c10a5-3720-41ab-8ace-3c4bc573f971"
    />
  • Add /hooks browser for lifecycle hooks (#19882)
    ## Why
    
    `hooks/list` and `hooks/config/write` give us read/write access to hooks
    and their state. This hooks up the TUI as a client so users can inspect
    and manage that state directly.
    
    ## What
    
    - add a two-page `/hooks` browser in the TUI: an event overview with
    installed/active counts, followed by a per-event handler page with
    toggle controls and detail rendering
    - thread managed-state metadata through hook discovery and `hooks/list`
    so the UI can label admin-managed hooks and suppress toggles for them
    - persist hook toggles through the existing config-write path and add
    snapshot coverage for the event list, handler list, managed-hook, and
    empty states
    
    ## Stack
    
    1. openai/codex#19705
    2. openai/codex#19778
    3. openai/codex#19840
    4. This PR - openai/codex#19882
    
    ## Reviewer Notes
    
    - Main UI logic is in
    `codex-rs/tui/src/bottom_pane/hooks_browser_view.rs`; most of the diff
    is the new view plus its snapshot coverage
    - Request / write plumbing for opening the browser and persisting
    toggles is in `codex-rs/tui/src/app/background_requests.rs` and
    `codex-rs/tui/src/chatwidget/hooks.rs`
    - Outside the TUI, the only behavioral change in this PR is threading
    `is_managed` through hook discovery and `hooks/list` so managed hooks
    render as non-toggleable
    - The `codex-rs/tui/src/status/snapshots/` churn is unrelated merge
    fallout from the stacked base branch's newer permission-label rendering
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Remove core protocol dependency [2/2] (#20325)
    ## Why
    
    With the local model layer and app-server routing in place from PR1,
    this PR moves the active TUI runtime onto app-server notifications. The
    affected pieces share the same event flow, so the command surface,
    session state, bottom-pane prompts, chat rendering, history/status
    views, and tests move together to keep the stacked branch buildable.
    
    This PR also removes the obsolete compatibility surface that is no
    longer used after the migration. The proposed protocol-boundary verifier
    layer was dropped from the stack; enforcing that final boundary will be
    simpler once `codex-tui` no longer needs any `codex_protocol`
    references.
    
    This PR is part 2 of a 2-PR stack:
    
    1. Add TUI-owned replacement models and extract app-server event
    routing.
    2. Move the active TUI flow to app-server notifications and delete
    obsolete adapter code.
    
    ## What changed
    
    - Rewired app command and session handling to use app-server request and
    notification shapes.
    - Moved approval overlays, request-user-input flows, MCP elicitation,
    realtime events, and review commands onto the app-server-facing model
    surface.
    - Updated chat rendering, history cells, status views, multi-agent UI,
    replay state, and TUI tests to use app-server notifications plus the
    local models introduced in PR1.
    - Deleted `codex-rs/tui/src/app/app_server_adapter.rs` and the
    superseded `chatwidget/tests/background_events.rs` fixture path.
    
    ## Verification
    
    - `cargo check -p codex-tui --tests`
    - Top of stack: `cargo test -p codex-tui`