Commit Graph

5412 Commits

  • feat: introduce codex-pr-body skill (#18033)
    ## Motivation
    
    Codex needs a repeatable workflow for updating PR metadata after a pull
    request already exists. This is more specific than generic GitHub
    handling: the assistant needs to preserve author-provided body content,
    explain why the PR exists before listing implementation details, and
    describe only the net change under review, including when Sapling stacks
    put a PR on top of another PR instead of `main`.
    
    ## Changes
    
    - Adds `.codex/skills/codex-pr-body/SKILL.md`.
    - Documents how to infer the target PR from the current branch or
    commit, including Sapling-specific PR metadata and `sl sl` output.
    - Defines the expected PR body update behavior: inspect the existing
    body, preserve key content such as images, avoid local absolute paths,
    use Markdown formatting, include relevant issue/PR references, and call
    out developer docs follow-up only when applicable.
    - Captures stacked-PR handling so generated PR text describes the change
    between the PR's base and head, rather than unrelated ancestor changes.
    
    ## Verification
    
    Not run; this is a Codex skill documentation addition.
  • [codex] Make command exec delta tests chunk tolerant (#17999)
    ## Summary
    - Make command/exec output-delta tests accumulate streamed chunks
    instead of assuming complete logical output in a single notification.
    - Collect stdout and stderr independently so stream interleaving does
    not fail the pipe streaming test.
    
    ## Why
    The command/exec protocol exposes output as deltas, so tests should not
    rely on chunk boundaries being stable. A line like `out-start\n` may
    arrive split across multiple notifications, and stdout/stderr
    notifications may interleave.
    
    ## Validation
    - `just fmt`
    - `git diff --check`
    - `cargo test -p codex-app-server suite::v2::command_exec`
  • removing network proxy for yolo (#17742)
    **Summary**
    - prevent managed requirements.toml network settings from leaking into
    DangerFullAccess / yolo turns by gating managed proxy attachment on
    sandbox mode
    - keep guardian/sandboxed modes on the managed proxy path, while making
    true yolo bypass the proxy entirely, including /shell full-access
    commands
  • Clarify realtime v2 context and handoff messages (#17896)
    ## Summary
    - wrap realtime startup context in
    `<startup_context>...</startup_context>` tags
    - prefix V2 mirrored user text and relayed backend text with `[USER]` /
    `[BACKEND]`
    - remove the V2 progress suffix and replace the final V2 handoff output
    with a short completion acknowledgement while preserving the existing V1
    wrapper
    
    ## Testing
    - cargo test -p codex-api
    realtime_v2_session_update_includes_background_agent_tool_and_handoff_output_item
    -- --exact
    - cargo test -p codex-app-server webrtc_v2_background_agent_
    - cargo test -p codex-app-server webrtc_v2_text_input_is_
    - cargo test -p codex-core conversation_user_text_turn_is_
  • [mcp] Add dummy tools for previously called but currently missing tools. (#17853)
    - [x] Add dummy tools for previously called but currently missing tools.
    Currently supporting MCP tools only.
  • Significantly improve standalone installer (#17022)
    ## Summary
    
    This PR significantly improves the standalone installer experience.
    
    The main changes are:
    
    1. We now install the codex binary and other dependencies in a
    subdirectory under CODEX_HOME.
    (`CODEX_HOME/packages/standalone/releases/...`)
    
    2. We replace the `codex.js` launcher that npm/bun rely on with logic in
    the Rust binary that automatically resolves its dependencies (like
    ripgrep)
    
    ## Motivation
    
    A few design constraints pushed this work.
    
    1. Currently, the entrypoint to codex is through `codex.js`, which
    forces a node dependency to kick off our rust app. We want to move away
    from this so that the entrypoint to codex does not rely on node or
    external package managers.
    2. Right now, the native script adds codex and its dependencies directly
    to user PATH. Given that codex is likely to add more binary dependencies
    than ripgrep, we want a solution which does not add arbitrary binaries
    to user PATH -- the only one we want to add is the `codex` command
    itself.
    3. We want upgrades to be atomic. We do not want scenarios where
    interrupting an upgrade command can move codex into undefined state (for
    example, having a new codex binary but an old ripgrep binary). This was
    ~possible with the old script.
    4. Currently, the Rust binary uses heuristics to determine which
    installer created it. These heuristics are flaky and are tied to the
    `codex.js` launcher. We need a more stable/deterministic way to
    determine how the binary was installed for standalone.
    5. We do not want conflicting codex installations on PATH. For example,
    the user installing via npm, then installing via brew, then installing
    via standalone would make it unclear which version of codex is being
    launched and make it tough for us to determine the right upgrade
    command.
    
    ## Design
    
    ### Standalone package layout
    
    Standalone installs now live under `CODEX_HOME/packages/standalone`:
    
    ```text
    $CODEX_HOME/
      packages/
        standalone/
          current -> releases/0.111.0-x86_64-unknown-linux-musl
          releases/
            0.111.0-x86_64-unknown-linux-musl/
              codex
              codex-resources/
                rg
    ```
    
    where `standalone/current` is a symlink to a release directory.
    
    On Windows, the release directory has the same shape, with `.exe` names
    and Windows helpers in `codex-resources`:
    
    ```text
    %CODEX_HOME%\
      packages\
        standalone\
          current -> releases\0.111.0-x86_64-pc-windows-msvc
          releases\
            0.111.0-x86_64-pc-windows-msvc\
              codex.exe
              codex-resources\
                rg.exe
                codex-command-runner.exe
                codex-windows-sandbox-setup.exe
    ```
    
    This gives us:
    - atomic upgrades because we can fully stage a release before switching
    `standalone/current`
    - a stable way for the binary to recognize a standalone install from its
    canonical `current_exe()` path under CODEX_HOME
    - a clean place for binary dependencies like `rg`, Windows sandbox
    helpers, and, in the future, our custom `zsh` etc
    
    ### Command location
    
    On Unix, we add a symlink at `~/.local/bin/codex` which points directly
    to the `$CODEX_HOME/packages/standalone/current/codex` binary. This
    becomes the main entrypoint for the CLI.
    
    On Windows, we store the link at
    `%LOCALAPPDATA%\Programs\OpenAI\Codex\bin`.
    
    ### PATH persistence
    
    This is a tricky part of the PR, as there's no ~super reliable way to
    ensure that we end up on PATH without significant tradeoffs.
    
    Most Unix variants will have `~/.local/bin` on PATH already, which means
    we *should* be fine simply registering the command there in most cases.
    However, there are cases where this is not the case. In these cases, we
    directly edit the profile depending on the shell we're in.
    
    - macOS zsh: `~/.zprofile`
    - macOS bash: `~/.bash_profile`
    - Linux zsh: `~/.zshrc`
    - Linux bash: `~/.bashrc`
    - fallback: `~/.profile`
    
    On Windows, we update the User `Path` environment variable directly and
    we don't need to worry about shell profiles.
    
    ### Standalone runtime detection
    
    This PR adds a new shared crate, `codex-install-context`, which computes
    install ownership once per process and caches it in a `OnceLock`.
    
    That context includes:
    - install manager (`Standalone`, `Npm`, `Bun`, `Brew`, `Other`)
    - the managed standalone release directory, when applicable
    - the managed standalone `codex-resources` directory, when present
    - the resolved `rg_command`
    
    The standalone path is detected by canonicalizing `current_exe()`,
    canonicalizing CODEX_HOME via `find_codex_home()`, and checking whether
    the binary is running from under
    `$CODEX_HOME/packages/standalone/releases`.
    
    We intentionally do not use a release metadata file. The binary path is
    the source of truth.
    
    ### Dependency resolution
    
    For standalone installs, `grep_files` now resolves bundled `rg` from
    `codex-resources` next to the Codex binary.
    
    For npm/bun/brew/other installs, `grep_files` falls back to resolving
    `rg` from PATH.
    
    For Windows standalone installs, Windows sandbox helpers are still found
    as direct siblings when present. If they are not direct siblings, the
    lookup also checks the sibling `codex-resources` directory.
    
    ### TUI update path
    
    The TUI now has `UpdateAction::StandaloneUnix` and
    `UpdateAction::StandaloneWindows`, which rerun the standalone install
    commands.
    
    Unix update command:
    
    ```sh
    sh -c "curl -fsSL https://chatgpt.com/codex/install.sh | sh"
    ```
    
    Windows update command:
    
    ```powershell
    powershell -c "irm https://chatgpt.com/codex/install.ps1|iex"
    ```
    
    The Windows updater runs PowerShell directly. We do this because `cmd
    /C` would parse the `|iex` as a cmd pipeline instead of passing it to
    PowerShell.
    
    ## Additional installer behavior
    
    - standalone installs now warn about conflicting npm/bun/brew-managed
    `codex` installs and offer to uninstall them
    - same-version reruns do not redownload the release if it is already
    staged locally
    
    ## Testing
    
    Installer smoke tests run:
    - macOS: fresh install into isolated `HOME` and `CODEX_HOME` with
    `scripts/install/install.sh --release latest`
    - macOS: reran the installer against the same isolated install to verify
    the same-version/update path and PATH block idempotence
    - macOS: verified the installed `codex --version` and bundled
    `codex-resources/rg --version`
    - Windows: parsed `scripts/install/install.ps1` with PowerShell via
    `[scriptblock]::Create(...)`
    - Windows: verified the standalone update action builds a direct
    PowerShell command and does not route the `irm ...|iex` command through
    `cmd /C`
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Support original-detail metadata on MCP image outputs (#17714)
    ## Summary
    - honor `_meta["codex/imageDetail"] == "original"` on MCP image content
    and map it to `detail: "original"` where supported
    - strip that detail back out when the active model does not support
    original-detail image inputs
    - update code-mode `image(...)` to accept individual MCP image blocks
    - teach `js_repl` / `codex.emitImage(...)` to preserve the same hint
    from raw MCP image outputs
    - document the new `_meta` contract and add generic RMCP-backed coverage
    across protocol, core, code-mode, and js_repl paths
  • [docs] Revert extra changes from PR 17848 (#18003)
    ## Summary
    
    1. Revert https://github.com/openai/codex/pull/17848 so the Bazel and
    `BUILD` file changes leave `main`.
    2. Prepare for a narrower follow up that restores only `SECURITY.md`.
    
    ## Validation
    
    1. Reviewed the revert diff against `main`.
    2. Ran a clean diff check before push.
  • feat: Support alternate marketplace manifests and local string (#17885)
    - Discover marketplace manifests from different supported layout paths
    instead of only .agents/plugins/marketplace.json.
    - Accept local plugin sources written either as { source: "local", path:
    ... } or as a direct string path.
    - Skip unsupported or invalid plugin source entries without failing the
    entire marketplace, and keep valid local plugins loadable.
  • Dismiss stale app-server requests after remote resolution (#15134)
    Dismiss stale TUI app-server approvals after remote resolution
    
    When an approval, user-input prompt, or elicitation request is resolved
    by another client, the TUI now dismisses the matching local UI instead
    of leaving stale prompts behind and emitting a misleading local
    cancellation.
    
    This change teaches pending app-server request tracking to map
    `serverRequest/resolved` notifications back to the concrete request type
    and stable request key, then propagates that resolved request into TUI
    prompt state. Approval, request-user-input, and MCP elicitation overlays
    now drop the resolved current or queued request quietly, advance to the
    next queued request when present, and avoid emitting abort/cancel events
    for stale UI.
    
    The latest update also retires matching prompts while they are still
    deferred behind active streaming and suppresses buffered active-thread
    requests whose app-server request id has already been resolved before
    drain. `ChatWidget` removes a resolved request from both the deferred
    interrupt queue and the materialized bottom-pane stack, while
    active-thread request handling verifies the app-server request is still
    pending before showing a prompt. Lifecycle events such as exec begin/end
    remain queued so approved work can still render normally.
    
    Tests cover resolved-request mapping, overlay dismissal behavior,
    deferred prompt pruning for same-turn user input, exec approval IDs,
    lifecycle-event retention, and the buffered active-thread ordering
    regression.
    
    Validation:
    - `just fmt`
    - `git diff --check`
    - `cargo test -p codex-tui
    resolved_buffered_approval_does_not_become_actionable_after_drain`
    - `cargo test -p codex-tui
    enqueue_primary_thread_session_replays_buffered_approval_after_attach`
    - `cargo test -p codex-tui chatwidget::interrupts`
    - `just fix -p codex-tui`
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • [codex] Restore remote exec-server filesystem tests (#17989)
    ## Summary
    
    - Re-enable remote variants for the exec-server filesystem
    sandbox/symlink tests that were made local-only in PR #17671.
    - Restore `use_remote` parameterization for the readable-root,
    normalized symlink escape, symlink removal, and symlink
    copy-preservation cases.
    - Preserve `mode={use_remote}` context on key async filesystem failures
    so CI failures point at the local or remote lane.
    
    ## Validation
    
    - `cd codex-rs && just fmt`
    - Not run: `bazel test
    //codex-rs/exec-server:exec-server-file_system-test` per local Codex
    development guidance to avoid test runs unless explicitly requested.
    
    Co-authored-by: Codex <noreply@openai.com>
  • Migrate archive/unarchive to local ThreadStore (#17892)
    # Summary
    - implement local ThreadStore archive/unarchive operations
    - implement local ThreadStore read_thread operation
    - break up the various ThreadStore local method implementations into
    separate files
    - migrate app-server archive/unarchive and core archive fixture to use
    ThreadStore (but not all read operations yet!)
    - use the ThreadStore's read operation as a proxy check for thread
    persistence/existence in the app server code
    - move all other filesystem operations related to archive (path
    validation etc) into the local thread store.
    
    # Tests
    - add dedicated local store archive/unarchive tests
  • [docs] Add security boundaries reference in SECURITY.md (#17848)
    ## Summary
    1. Add a Security Boundaries section to `SECURITY.md`.
    2. Point readers to the Codex Agent approvals and security documentation
    for sandboxing, approvals, and network controls.
    
    ## Validation
    1. Reviewed the `SECURITY.md` diff in a clean worktree.
    2. No tests run. Docs only change.
  • Support remote compaction for Azure responses providers (#17958)
    Azure Responses providers were still falling back to local compaction
    because the compaction gate only checked
    `ModelProviderInfo::is_openai()`.
    
    Move the capability check onto `ModelProviderInfo` with
    `supports_remote_compaction()`, backed by the existing Azure Responses
    endpoint detection used in `codex-api`, and have `core::compact`
    delegate to that helper.
    
    Add regression coverage for:
    - OpenAI providers using remote compaction
    - Azure providers using remote compaction
    - non-OpenAI/non-Azure providers staying on the local path
    
    resolves #17773
    
    ---------
    
    Co-authored-by: Michael Bolin <mbolin@openai.com>
  • chore(tui) cleanup (#17920)
    ## Summary
    Cleanup extraneous plugins.
  • mcp: remove codex/sandbox-state custom request support (#17957)
    ## Why
    
    #17763 moved sandbox-state delivery for MCP tool calls to request
    `_meta` via the `codex/sandbox-state-meta` experimental capability.
    Keeping the older `codex/sandbox-state` capability meant Codex still
    maintained a second transport that pushed updates with the custom
    `codex/sandbox-state/update` request at server startup and when the
    session sandbox policy changed.
    
    That duplicate MCP path is redundant with the per-tool-call metadata
    path and makes the sandbox-state contract larger than needed. The
    existing managed network proxy refresh on sandbox-policy changes is
    still needed, so this keeps that behavior separate from the removed MCP
    notification.
    
    ## What Changed
    
    - Removed the exported `MCP_SANDBOX_STATE_CAPABILITY` and
    `MCP_SANDBOX_STATE_METHOD` constants.
    - Removed detection of `codex/sandbox-state` during MCP initialization
    and stopped sending `codex/sandbox-state/update` at server startup.
    - Removed the `McpConnectionManager::notify_sandbox_state_change`
    plumbing while preserving the managed network proxy refresh when a user
    turn changes sandbox policy.
    - Slimmed `McpConnectionManager::new` so startup paths pass only the
    initial `SandboxPolicy` needed for MCP elicitation state.
    - Kept `codex/sandbox-state-meta` support intact; servers that opt in
    still receive the current `SandboxState` on tool-call request `_meta`
    ([remaining call
    path](https://github.com/openai/codex/blob/ff2d3c1e72ff08ce13743b99605d19d338edd51c/codex-rs/core/src/mcp_tool_call.rs#L487-L526)).
    - Added regression coverage for refreshing the live managed network
    proxy on a per-turn sandbox-policy change.
    
    ## Verification
    
    - `cargo test -p codex-core
    new_turn_refreshes_managed_network_proxy_for_sandbox_change`
    - `cargo test -p codex-mcp`
  • app-server: track remote-control seq IDs per stream (#17902)
    ## Summary
    
    - Track outbound remote-control sequence IDs independently for each
    client stream.
    - Retain unacked outbound messages per stream using FIFO buffers.
    - Require stream-scoped acks and update tests for contiguous per-stream
    sequencing.
    
    ## Why
    
    The remote-control peer uses outbound sequence gaps to detect lost
    messages and re-initialize. A single global outbound sequence counter
    can create apparent gaps on an individual stream when another stream
    receives an interleaved message.
    
    ## Validation
    
    - `just fmt`
    - `cargo test -p codex-app-server remote_control`
    - `just fix -p codex-app-server`
    - `git diff --check`
  • Refactor auth providers to mutate request headers (#17866)
    ## Summary
    - Move auth header construction into the
    `AuthProvider::add_auth_headers` contract.
    - Inline `CoreAuthProvider` header mutation in its provider impl and
    remove the shared header-map helper.
    - Update HTTP, websocket, file upload, sideband websocket, and test auth
    callsites to use the provider method.
    - Add direct coverage for `CoreAuthProvider` auth header mutation.
    
    ## Testing
    - `just fmt`
    - `cargo test -p codex-api`
    - `cargo test -p codex-core
    client::tests::auth_request_telemetry_context_tracks_attached_auth_and_retry_phase`
    - `cargo test -p codex-core` failed on unrelated/reproducible
    `tools::handlers::multi_agents::tests::multi_agent_v2_followup_task_interrupts_busy_child_without_losing_message`
    
    ---------
    
    Co-authored-by: Celia Chen <celia@openai.com>
  • Add CLI update announcement (#17942)
    ## Summary
    - Keep the existing local-build test announcement as the first
    announcement entry
    - Add the CLI update reminder for versions below `0.120.0`
    - Remove expired onboarding and gpt-5.3-codex announcement entries
    <img width="1576" height="276" alt="Screenshot 2026-04-15 at 1 32 53 PM"
    src="https://github.com/user-attachments/assets/10b55d0b-09cd-4de0-ab51-4293d811b80c"
    />
  • [codex] Add local thread store listing (#17824)
    Builds on top of #17659 
    
    Move the filesystem + sqlite thread listing-related operations inside of
    a local ThreadStore implementation and call ThreadStore from the places
    that used to perform these filesystem/sqlite operations.
    
    This is the first of a series of PRs that will implement the rest of the
    local ThreadStore.
    
    Testing:
    - added unit tests for the thread store implementation
    - adjusted some unit tests in the realtime + personality packages whose
    callsites changed. Specifically I'm trying to hide ThreadMetadata inside
    of the local implementation and make ThreadMetadata a sqlite
    implementation detail concern rather than a public interface, preferring
    the more generate StoredThread interface instead
    - added a corner case test for the personality migration package that
    wasn't covered by the existing test suite
    - adjust the behavior of searched thread listing to run the existing
    local rollout repair/backfill pass _before_ querying SQLite results, so
    callers using ThreadStore::list_threads do not miss matches after a
    partial metadata warm-up
  • Fix empty tool descriptions (#17946)
    ## Summary
    - Ensure direct namespaced MCP tool groups are emitted with a non-empty
    namespace description even when namespace metadata is missing or blank.
    - Add regression coverage for missing MCP namespace descriptions.
    
    ## Cause
    Latest `main` can serialize a direct namespaced MCP tool group with an
    empty top-level `description`. The namespace description path used
    `unwrap_or_default()` when `tool_namespaces` did not include metadata
    for that namespace, so the outbound Responses API payload could contain
    a tool like `{"type":"namespace","description":""}`. The Responses API
    rejects that because namespace tool descriptions must be a non-empty
    string.
    
    ## Fix
    - Add a fallback namespace description: `Tools in the <namespace>
    namespace.`
    - Preserve provided namespace descriptions after trimming, but treat
    blank descriptions as missing.
    
    ### Issue I am seeing
    This is what I am seeing on the local build.
    <img width="1593" height="488" alt="Screenshot 2026-04-15 at 10 55 55
    AM"
    src="https://github.com/user-attachments/assets/bab668ba-bf17-4c71-be4e-b102202fce57"
    />
    
    ---------
    
    Co-authored-by: Sayan Sisodiya <sayan@openai.com>
  • fix: rename is_azure_responses_wire_base_url to is_azure_responses_provider (#17965)
    ## Why
    
    While reviewing https://github.com/openai/codex/pull/17958, the helper
    name `is_azure_responses_wire_base_url` looked misleading because the
    helper returns true for either the `azure` provider name or an Azure
    Responses `base_url`. The new name makes both inputs part of the
    contract.
    
    ## What
    
    - Rename `is_azure_responses_wire_base_url` to
    `is_azure_responses_provider`.
    - Move the `openai.azure.` marker into
    `matches_azure_responses_base_url` so all base URL marker matching is
    centralized.
    - Keep `Provider::is_azure_responses_endpoint()` behavior unchanged.
    
    ## Verification
    
    - Compared the parent and current implementations.
    `name.eq_ignore_ascii_case("azure")` still returns true before
    consulting `base_url`, `None` still returns false, base URLs are still
    lowercased before marker matching, and the same Azure marker set is
    checked.
    - Ran `cargo test -p codex-api`.
  • chore(features) codex dependencies feat (#17960)
    ## Summary
    Setting this up
    
    ## Testing
    - [x] Unit tests pass
  • Fix fs/readDirectory to skip broken symlinks (#17907)
    ## Summary
    - Skip directory entries whose metadata lookup fails during
    `fs/readDirectory`
    - Add an exec-server regression test covering a broken symlink beside
    valid entries
    
    ## Testing
    - `just fmt`
    - `cargo test -p codex-exec-server` (started, but dependency/network
    updates stalled before completion in this environment)
  • Register agent identities behind use_agent_identity (#17386)
    ## Summary
    
    Stack PR 2 of 4 for feature-gated agent identity support.
    
    This PR adds agent identity registration behind
    `features.use_agent_identity`. It keeps the app-server protocol
    unchanged and starts registration after ChatGPT auth exists rather than
    requiring a client restart.
    
    ## Stack
    
    - PR1: https://github.com/openai/codex/pull/17385 - add
    `features.use_agent_identity`
    - PR2: https://github.com/openai/codex/pull/17386 - this PR
    - PR3: https://github.com/openai/codex/pull/17387 - register agent tasks
    when enabled
    - PR4: https://github.com/openai/codex/pull/17388 - use `AgentAssertion`
    downstream when enabled
    
    ## Validation
    
    Covered as part of the local stack validation pass:
    
    - `just fmt`
    - `cargo test -p codex-core --lib agent_identity`
    - `cargo test -p codex-core --lib agent_assertion`
    - `cargo test -p codex-core --lib websocket_agent_task`
    - `cargo test -p codex-api api_bridge`
    - `cargo build -p codex-cli --bin codex`
    
    ## Notes
    
    The full local app-server E2E path is still being debugged after PR
    creation. The current branch stack is directionally ready for review
    while that follow-up continues.
  • Remove exec-server fs sandbox request preflight (#17883)
    ## Summary
    - Remove the exec-server-side manual filesystem request path preflight
    before invoking the sandbox helper.
    - Keep sandbox helper policy construction and platform sandbox
    enforcement as the access boundary.
    - Add a portable local+remote regression for writing through an
    explicitly configured alias root.
    - Remove the metadata symlink-escape assertion that depended on the
    deleted manual preflight; no replacement metadata-specific access probe
    is added.
    
    ## Tests
    - `cargo test -p codex-exec-server --lib`
    - `cargo test -p codex-exec-server --test file_system`
    - `git diff --check`
  • feat: reset memories button (#17937)
    <img width="720" height="175" alt="Screenshot 2026-04-15 at 14 35 02"
    src="https://github.com/user-attachments/assets/041d73ff-8c16-42a9-8e92-c245805084f0"
    />
  • register all mcp tools with namespace (#17404)
    stacked on #17402.
    
    MCP tools returned by `tool_search` (deferred tools) get registered in
    our `ToolRegistry` with a different format than directly available
    tools. this leads to two different ways of accessing MCP tools from our
    tool catalog, only one of which works for each. fix this by registering
    all MCP tools with the namespace format, since this info is already
    available.
    
    also, direct MCP tools are registered to responsesapi without a
    namespace, while deferred MCP tools have a namespace. this means we can
    receive MCP `FunctionCall`s in both formats from namespaces. fix this by
    always registering MCP tools with namespace, regardless of deferral
    status.
    
    make code mode track `ToolName` provenance of tools so it can map the
    literal JS function name string to the correct `ToolName` for
    invocation, rather than supporting both in core.
    
    this lets us unify to a single canonical `ToolName` representation for
    each MCP tool and force everywhere to use that one, without supporting
    fallbacks.
  • feat: memories menu (#17632)
    Add menu that:
    1. If memories feature is not enabled, propose to enable it
    2. Let you choose if you want to generate memories and to use memories
  • [codex] Fix current main CI blockers (#17917)
    ## Summary
    - Fix marketplace-add local path detection on Windows by using
    `Path::is_absolute()`.
    - Make marketplace-add local-source tests parse/write TOML through the
    same helpers instead of raw string matching.
    - Update `rand` 0.9.x to 0.9.3 and document the remaining audited `rand`
    0.8.5 advisory exception.
    - Refresh `MODULE.bazel.lock` after the Cargo.lock update.
    
    ## Why
    Latest `main` had two independent CI blockers: marketplace-add tests
    were not portable to Windows path/TOML escaping, and cargo-deny still
    reported `RUSTSEC-2026-0097` after the recent rustls-webpki fix.
    
    ## Validation
    - `cargo test -p codex-core marketplace_add -- --nocapture`
    - `cargo deny --all-features check`
    - `just bazel-lock-check`
    - `just fix -p codex-core`
    - `just fmt`
    - `git diff --check`
  • Support Unix socket allowlists in macOS sandbox (#17654)
    ## Changes
    
    Allows sandboxes to restrict overall network access while granting
    access to specific unix sockets on mac.
    
    ## Details
    
    - `codex sandbox macos`: adds a repeatable `--allow-unix-socket` option.
    - `codex-sandboxing`: threads explicit Unix socket roots into the macOS
    Seatbelt profile generation.
    - Preserves restricted network behavior when only Unix socket IPC is
    requested, and preserves full network behavior when full network is
    already enabled.
    
    ## Verification
    
    - `cargo test -p codex-cli -p codex-sandboxing`
    - `cargo build -p codex-cli --bin codex`
    - verified that `codex sandbox macos --allow-unix-socket /tmp/test.sock
    -- test-client` grants access as expected
  • Send sandbox state through MCP tool metadata (#17763)
    ## Changes
    
    Allows MCPs to opt in to receiving sandbox config info through `_meta`
    on model-initiated tool calls. This lets MCPs adhere to the thread's
    sandbox if they choose to.
    
    ## Details
    
    - Adds the `codex/sandbox-state-meta` experimental MCP capability.
    - Tracks whether each MCP server advertises that capability.
    - When a server opts in, `codex-core` injects the current `SandboxState`
    into model-initiated MCP tool-call request `_meta`.
    
    ## Verification
    
    - added an integration test for the capability
  • fix: add websocket capability token hash support (#17871)
    ## Summary
    - Allow app-server websocket capability auth to accept a precomputed
    SHA-256 digest via `--ws-token-sha256`.
    - Keep token-file support and enforce exactly one capability token
    source.
    - Document the new auth flag.
    
    ## Testing
    - `just fmt`
    - `cargo test -p codex-app-server transport::auth::tests`
    - `cargo test -p codex-app-server
    websocket_capability_token_sha256_args_parse`
    - `cargo test -p codex-cli app_server_capability_token_flags_parse`
    - `cargo clippy -p codex-app-server --all-targets -- -D warnings`
    - `just fix -p codex-cli`
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • fix: cleanup the contract of the general-purpose exec() function (#17870)
    `exec()` had a number of arguments that were unused, making the function
    signature misleading. This PR aims to clean things up to clarify the
    role of this function and to clarify which fields of `ExecParams` are
    unused and why.
  • sandbox: remove dead seatbelt helper and update tests (#17859)
    ## Why
    
    `spawn_command_under_seatbelt()` in `codex-rs/core/src/seatbelt.rs` had
    fallen out of production use and was only referenced by test-only
    wrappers. That left us with sandbox tests that could stay green even if
    the actual seatbelt exec path regressed, because production shell
    execution now flows through `SandboxManager::transform()` and
    `ExecRequest::from_sandbox_exec_request()` instead of that helper.
    
    Removing the dead helper also exposed one downstream `codex-exec`
    integration test that still imported it, which broke `just clippy`.
    
    ## What Changed
    
    - Removed `codex-rs/core/src/seatbelt.rs` and stopped exporting
    `codex_core::seatbelt`.
    - Removed the redundant `codex-rs/core/tests/suite/seatbelt.rs` coverage
    that only exercised the dead helper.
    - Kept the `openpty` regression check, but moved it into
    `codex-rs/core/tests/suite/exec.rs` so it now runs through
    `process_exec_tool_call()`.
    - Fixed the seatbelt denial test in `codex-rs/core/tests/suite/exec.rs`
    to use `/usr/bin/touch`, so it actually exercises the sandbox instead of
    a nonexistent path.
    - Updated `codex-rs/exec/tests/suite/sandbox.rs` on macOS to build the
    sandboxed command through `build_exec_request()` and spawn the
    transformed command, instead of importing the removed helper.
    - Left the lower-level seatbelt policy coverage in
    `codex-rs/sandboxing/src/seatbelt_tests.rs`, where the policy generator
    is still covered directly.
    
    ## Verification
    
    - `cargo test -p codex-core suite::exec::`
    - `cargo test -p codex-exec`
    - `cargo clippy -p codex-exec --tests -- -D warnings`
  • Reuse remote exec-server in core tests (#17837)
    ## Summary
    - reuse a shared remote exec-server for remote-aware codex-core
    integration tests within a test binary process
    - keep per-test remote cwd creation and cleanup so tests retain
    workspace isolation
    - leave codex_self_exe, codex_linux_sandbox_exe, cwd_path(), and
    workspace_path() behavior unchanged
    
    ## Validation
    - rustfmt codex-rs/core/tests/common/test_codex.rs
    - git diff --check
    - CI is running on the updated branch
  • Fix clippy warnings in external agent config migration (#17884)
    Fix clippy warnings in external agent config migration
    
    ```
    error: this expression creates a reference which is immediately dereferenced by the compiler
       --> core/src/external_agent_config.rs:188:55
        |
    188 |             let migrated = build_config_from_external(&settings)?;
        |                                                       ^^^^^^^^^ help: change this to: `settings`
        |
        = help: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.93.0/index.html#needless_borrow
        = note: requested on the command line with `-D clippy::needless-borrow`
    
    error: useless conversion to the same type: `codex_utils_absolute_path::AbsolutePathBuf`
       --> core/src/external_agent_config.rs:355:27
        |
    355 |                       match AbsolutePathBuf::try_from(
        |  ___________________________^
    356 | |                         add_marketplace_outcome
    357 | |                             .installed_root
    358 | |                             .join(INSTALLED_MARKETPLACE_MANIFEST_RELATIVE_PATH),
    359 | |                     ) {
        | |_____________________^
        |
        = help: consider removing `AbsolutePathBuf::try_from()`
        = help: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.93.0/index.html#useless_conversion
        = note: `-D clippy::useless-conversion` implied by `-D warnings`
        = help: to override `-D warnings` add `#[allow(clippy::useless_conversion)]`
    
    error: aborting due to 2 previous errors
    ```