Commit Graph

54 Commits

  • fix: trying to simplify rust-ci.yml (#2327)
    It turns out that https://github.com/openai/codex/pull/2324 did not
    quite work as intended. Chat's new idea is to have this catch-all "CI
    results" job and update our branch protection rules to require this
    instead.
  • fix: ensure rust-ci always "runs" when a PR is submitted (#2324)
    Our existing path filters for `rust-ci.yml`:
    
    
    https://github.com/openai/codex/blob/235987843c3d6647c0819c1071f9b9f064673e9c/.github/workflows/rust-ci.yml#L1-L11
    
    made it so that PRs that touch only `README.md` would not trigger those
    builds, which is a problem because our branch protection rules are set
    as follows:
    
    <img width="1569" height="1883" alt="Screenshot 2025-08-14 at 4 45
    59 PM"
    src="https://github.com/user-attachments/assets/5a61f8cc-cdaf-4341-abda-7faa7b46dbd4"
    />
    
    With the existing setup, a change to `README.md` would get stuck in
    limbo because not all the CI jobs required to merge would get run. It
    turns out that we need to "run" all the jobs, but make them no-ops when
    the `codex-rs` and `.github` folders are untouched to get the best of
    both worlds.
    
    I asked chat how to fix this, as we want CI to be fast for
    documentation-only changes. It had two suggestions:
    
    - Use https://github.com/dorny/paths-filter or some other third-party
    action.
    - Write an inline Bash script to avoid a third-party dependency.
    
    This PR takes the latter approach so that we are clear about what we're
    running in CI.
  • fix: skip cargo test for release builds on ordinary CI because it is slow, particularly with --all-features set (#2276)
    I put this PR together because I noticed I have to wait quite a bit
    longer on my PRs since we added
    https://github.com/openai/codex/pull/2242 to catch more build issues.
    
    I think we should think about reigning in our use of create features,
    but this should be good enough to speed things up for now.
  • Fix build break and build release (#2242)
    Build release profile for one configuration.
  • fix: improve npm release process (#2055)
    This improves the release process by introducing
    `scripts/publish_to_npm.py` to automate publishing to npm (modulo the
    human 2fac step).
    
    As part of this, it updates `.github/workflows/rust-release.yml` to
    create the artifact for npm using `npm pack`.
    
    And finally, while it is long overdue, this memorializes the release
    process in `docs/release_management.md`.
  • chore: remove the TypeScript code from the repository (#2048)
    This deletes the bulk of the `codex-cli` folder and eliminates the logic
    that builds the TypeScript code and bundles it into the release.
    
    Since this PR modifies `.github/workflows/rust-release.yml`, to test
    changes to the release process, I locally commented out all of the "is
    this commit on upstream `main`" checks in
    `scripts/create_github_release.sh` and ran:
    
    ```
    ./codex-rs/scripts/create_github_release.sh 0.20.0-alpha.4
    ```
    
    Which kicked off:
    
    https://github.com/openai/codex/actions/runs/16842085113
    
    And the release artifacts appear legit!
    
    https://github.com/openai/codex/releases/tag/rust-v0.20.0-alpha.4
  • fix: try building the npm package in CI (#2043)
    Historically, the release process for the npm module has been:
    
    - I run `codex-rs/scripts/create_github_release.sh` to kick off a
    release for the native artifacts.
    - I wait until it is done.
    - I run `codex-cli/scripts/stage_rust_release.py` to build the npm
    release locally
    - I run `npm publish` from my laptop
    
    It has been a longstanding issue to move the npm build to CI. I may
    still have to do the `npm publish` manually because it requires 2fac
    with `npm`, though I assume we can work that out later.
    
    Note I asked Codex to make these updates, and while they look pretty
    good to me, I'm not 100% certain, but let's just merge this and I'll
    kick off another alpha build and we'll see what happens?
  • fix: stop building codex-exec and codex-linux-sandbox binaries (#2036)
    Release builds are taking awhile and part of the reason that we are
    building binaries that we are not really using. Adding Windows binaries
    into releases (https://github.com/openai/codex/pull/2035) slows things
    down, so we need to get some time back.
    
    - `codex-exec` is basically a standalone `codex exec` that we were
    offering because it's a bit smaller as it does not include all the bits
    to power the TUI. We were using it in our experimental GitHub Action, so
    this PR updates the Action to use `codex exec` instead.
    - `codex-linux-sandbox` was a helper binary for the TypeScript version
    of the CLI, but I am about to axe that, so we don't need this either.
    
    If we decide to bring `codex-exec` back at some point, we should use a
    separate instances so we can build it in parallel with `codex`. (I think
    if we had beefier build machines, this wouldn't be so bad, but that's
    not the case with the default runners from GitHub.)
  • feat: include windows binaries in GitHub releases (#2035)
    We should stop shipping the old TypeScript CLI to Windows users. I did
    some light testing of the Rust CLI on Windows in `cmd.exe` and it works
    better than I expected!
  • fix: only tag as prerelease when the version has an -alpha or -beta suffix (#1872)
    Hardcoding to `prerelease: true` is a holdover from before we had
    migrated to the Rust CLI for releases and decided on how we were doing
    version numbers.
    
    To date, I have had to change the release status from "prerelease" to
    "actual release" manually through the GitHub Releases web page. This is
    a semi-serious problem because I've discovered that it messes up
    Homebrew's automation if the version number _looks_ like a real release
    but turns out to be a prerelease. The release potentially gets skipped
    from being published on Homebrew, so it's important to set the value
    correctly from the start.
    
    I verified that `steps.release_name.outputs.name` does not include the
    `rust-v` prefix from the tag name.
  • chore: add support for a new label, codex-rust-review (#1744)
    The goal of this change is to try an experiment where we try to get AI
    to take on more of the code review load. The idea is that once you
    believe your PR is ready for review, please add the `codex-rust-review`
    label (as opposed to the `codex-review` label).
    
    Admittedly the corresponding prompt currently represents my personal
    biases in terms of code review, but we should massage it over time to
    represent the team's preferences.
  • chore: for release build, build specific targets instead of --all-targets (#1656)
    I noticed that releases have taken longer and longer to build.
    Originally, I think I did `--all-targets` to be confident that
    everything builds cleanly, but that's really the job of CI that runs on
    `main`, so we're spending a lot of time in `rust-release.yml` for not
    that much additional signal.
  • chore(rs): update dependencies (#1494)
    ### Chores
    - Update cargo dependencies
    - Remove unused cargo dependencies
    - Fix clippy warnings
    - Update Dockerfile (package.json requires node 22)
    - Let Dependabot update bun, cargo, devcontainers, docker,
    github-actions, npm (nix still not supported)
    
    ### TODO
    - Upgrade dependencies with breaking changes
    
    ```shell
    $ cargo update --verbose
       Unchanged crossterm v0.28.1 (available: v0.29.0)
       Unchanged schemars v0.8.22 (available: v1.0.4)
    ```
  • docs: update documentation to reflect Rust CLI release (#1440)
    As promised on https://github.com/openai/codex/discussions/1405, we are
    making the first official release of the Rust CLI as v0.2.0. As part of
    this move, we are making it available in Homebrew:
    
    https://github.com/Homebrew/homebrew-core/pull/228615
    
    Ultimately, we also plan to continue to make the CLI available in npm,
    as well, though brew is a bit nicer in that `brew install` will download
    only the binary for your platform whereas an npm module is expected to
    contain the binaries for _all_ supported platforms, so it is a bit more
    heavyweight.
    
    A big part of this change is updating the root `README.md` to document
    the behavior of the Rust CLI, which differs in a number of ways from the
    TypeScript CLI. The existing `README.md` is moved to
    `codex-cli/README.md` as part of this PR, as it is still applicable to
    that folder.
    
    As this is still early days for the Rust CLI, I encourage folks to
    provide feedback on the command line flags and configuration options.
  • fix: softprops/action-gh-release@v2 should use existing tag instead of creating a new tag (#1436)
    https://github.com/Homebrew/homebrew-core/pull/228521 details the issues
    I was having with the **Source code (tar.gz)** artifact for our GitHub
    releases not being quite right. I landed these PRs as stabs in the dark
    to fix this:
    
    - https://github.com/openai/codex/pull/1423
    - https://github.com/openai/codex/pull/1430
    
    Based on the insights from
    https://github.com/Homebrew/homebrew-core/pull/228521, I think those
    were wrong and the real problem was this:
    
    
    https://github.com/openai/codex/blob/6dad5c3b1799ac18f7c76a9612f24936682b3c1d/.github/workflows/rust-release.yml#L162
    
    That is, I was manufacturing a new tag name on the fly instead of using
    the existing one.
    
    This PR reverts #1423 and #1430 and hopefully fixes how `tag_name` is
    set for the `softprops/action-gh-release@v2` step so the **Source code
    (tar.gz)** includes the correct files. Assuming this works, this should
    make the Homebrew formula straightforward.
  • fix: support pre-release identifiers in tags (#1422)
    Had to update the regex in the GitHub workflow to allow suffixes like
    `-alpha.4`.
    
    Successfully ran:
    
    ```
    ./scripts/create_github_release.sh 0.1.0-alpha.4
    ```
    
    to create
    https://github.com/openai/codex/releases/tag/codex-rs-b289c9207090b2e27494545d7b5404e063bd86f3-1-rust-v0.1.0-alpha.4
    
    and verified that when I run `codex --version`, it prints `codex-cli
    0.1.0-alpha.4`.
  • fix: include codex-linux-sandbox-aarch64-unknown-linux-musl in the set of release artifacts (#1230)
    This was missed in https://github.com/openai/codex/pull/1225. Once we
    create a new GitHub Release with this change, we can use the URL from
    the workflow that triggered the release in
    https://github.com/openai/codex/pull/1228.
  • fix: support arm64 build for Linux (#1225)
    Users were running into issues with glibc mismatches on arm64 linux. In
    the past, we did not provide a musl build for arm64 Linux because we had
    trouble getting the openssl dependency to build correctly. Though today
    I just tried the same trick in `Cargo.toml` that we were doing for
    `x86_64-unknown-linux-musl` (using `openssl-sys` with `features =
    ["vendored"]`), so I'm not sure what problem we had in the past the
    builds "just worked" today!
    
    Though one tweak that did have to be made is that the integration tests
    for Seccomp/Landlock empirically require longer timeouts on arm64 linux,
    or at least on the `ubuntu-24.04-arm` GitHub Runner. As such, we change
    the timeouts for arm64 in `codex-rs/linux-sandbox/tests/landlock.rs`.
    
    Though in solving this problem, I decided I needed a turnkey solution
    for testing the Linux build(s) from my Mac laptop, so this PR introduces
    `.devcontainer/Dockerfile` and `.devcontainer/devcontainer.json` to
    facilitate this. Detailed instructions are in `.devcontainer/README.md`.
    
    We will update `dotslash-config.json` and other release-related scripts
    in a follow-up PR.
  • fix: update outdated repo setup in codex.yml (#1171)
    We should do some work to share the setup logic across `codex.yml`,
    `ci.yml`, and `rust-ci.yml`.
  • feat: initial import of experimental GitHub Action (#1170)
    This is a first cut at a GitHub Action that lets you define prompt
    templates in `.md` files under `.github/codex/labels` that will run
    Codex with the associated prompt when the label is added to a GitHub
    pull request.
    
    For example, this PR includes these files:
    
    ```
    .github/codex/labels/codex-attempt.md
    .github/codex/labels/codex-code-review.md
    .github/codex/labels/codex-investigate-issue.md
    ```
    
    And the new `.github/workflows/codex.yml` workflow declares the
    following triggers:
    
    ```yaml
    on:
      issues:
        types: [opened, labeled]
      pull_request:
        branches: [main]
        types: [labeled]
    ```
    
    as well as the following expression to gate the action:
    
    ```
    jobs:
      codex:
        if: |
          (github.event_name == 'issues' && (
            (github.event.action == 'labeled' && (github.event.label.name == 'codex-attempt' || github.event.label.name == 'codex-investigate-issue'))
          )) ||
          (github.event_name == 'pull_request' && github.event.action == 'labeled' && github.event.label.name == 'codex-code-review')
    ```
    
    Note the "actor" who added the label must have write access to the repo
    for the action to take effect.
    
    After adding a label, the action will "ack" the request by replacing the
    original label (e.g., `codex-review`) with an `-in-progress` suffix
    (e.g., `codex-review-in-progress`). When it is finished, it will swap
    the `-in-progress` label with a `-completed` one (e.g.,
    `codex-review-completed`).
    
    Users of the action are responsible for providing an `OPENAI_API_KEY`
    and making it available as a secret to the action.
  • feat: introduce support for shell_environment_policy in config.toml (#1061)
    To date, when handling `shell` and `local_shell` tool calls, we were
    spawning new processes using the environment inherited from the Codex
    process itself. This means that the sensitive `OPENAI_API_KEY` that
    Codex needs to talk to OpenAI models was made available to everything
    run by `shell` and `local_shell`. While there are cases where that might
    be useful, it does not seem like a good default.
    
    This PR introduces a complex `shell_environment_policy` config option to
    control the `env` used with these tool calls. It is inevitably a bit
    complex so that it is possible to override individual components of the
    policy so without having to restate the entire thing.
    
    Details are in the updated `README.md` in this PR, but here is the
    relevant bit that explains the individual fields of
    `shell_environment_policy`:
    
    | Field | Type | Default | Description |
    | ------------------------- | -------------------------- | ------- |
    -----------------------------------------------------------------------------------------------------------------------------------------------
    |
    | `inherit` | string | `core` | Starting template for the
    environment:<br>`core` (`HOME`, `PATH`, `USER`, …), `all` (clone full
    parent env), or `none` (start empty). |
    | `ignore_default_excludes` | boolean | `false` | When `false`, Codex
    removes any var whose **name** contains `KEY`, `SECRET`, or `TOKEN`
    (case-insensitive) before other rules run. |
    | `exclude` | array&lt;string&gt; | `[]` | Case-insensitive glob
    patterns to drop after the default filter.<br>Examples: `"AWS_*"`,
    `"AZURE_*"`. |
    | `set` | table&lt;string,string&gt; | `{}` | Explicit key/value
    overrides or additions – always win over inherited values. |
    | `include_only` | array&lt;string&gt; | `[]` | If non-empty, a
    whitelist of patterns; only variables that match _one_ pattern survive
    the final step. (Generally used with `inherit = "all"`.) |
    
    
    In particular, note that the default is `inherit = "core"`, so:
    
    * if you have extra env variables that you want to inherit from the
    parent process, use `inherit = "all"` and then specify `include_only`
    * if you have extra env variables where you want to hardcode the values,
    the default `inherit = "core"` will work fine, but then you need to
    specify `set`
    
    This configuration is not battle-tested, so we will probably still have
    to play with it a bit. `core/src/exec_env.rs` has the critical business
    logic as well as unit tests.
    
    Though if nothing else, previous to this change:
    
    ```
    $ cargo run --bin codex -- debug seatbelt -- printenv OPENAI_API_KEY
    # ...prints OPENAI_API_KEY...
    ```
    
    But after this change it does not print anything (as desired).
    
    One final thing to call out about this PR is that the
    `configure_command!` macro we use in `core/src/exec.rs` has to do some
    complex logic with respect to how it builds up the `env` for the process
    being spawned under Landlock/seccomp. Specifically, doing
    `cmd.env_clear()` followed by `cmd.envs(&$env_map)` (which is arguably
    the most intuitive way to do it) caused the Landlock unit tests to fail
    because the processes spawned by the unit tests started failing in
    unexpected ways! If we forgo `env_clear()` in favor of updating env vars
    one at a time, the tests still pass. The comment in the code talks about
    this a bit, and while I would like to investigate this more, I need to
    move on for the moment, but I do plan to come back to it to fully
    understand what is going on. For example, this suggests that we might
    not be able to spawn a C program that calls `env_clear()`, which would
    be...weird. We may still have to fiddle with our Landlock config if that
    is the case.
  • chore: produce .tar.gz versions of artifacts in addition to .zst (#1036)
    For sparse containers/environments that do not have `zstd`, provide
    `.tar.gz` as alternative archive format.
  • Fix CLA link in workflow (#964)
    ## Summary
    - fix the CLA link posted by the bot
    - docs suggest using an absolute URL:
    https://github.com/marketplace/actions/cla-assistant-lite
  • feat: make it possible to toggle mouse mode in the Rust TUI (#971)
    I did a bit of research to understand why I could not use my mouse to
    drag to select text to copy to the clipboard in iTerm.
    
    Apparently https://github.com/openai/codex/pull/641 to enable mousewheel
    scrolling broke this functionality. It seems that, unless we put in a
    bit of effort, we can have drag-to-select or scrolling, but not both.
    Though if you know the trick to hold down `Option` will dragging with
    the mouse in iTerm, you can probably get by with this. (I did not know
    about this option prior to researching this issue.)
    
    Nevertheless, users may still prefer to disable mouse capture
    altogether, so this PR introduces:
    
    * the ability to set `tui.disable_mouse_capture = true` in `config.toml`
    to disable mouse capture
    * a new command, `/toggle-mouse-mode` to toggle mouse capture
  • chore: introduce AppEventSender to help fix clippy warnings and update to Rust 1.87 (#948)
    Moving to Rust 1.87 introduced a clippy warning that
    `SendError<AppEvent>` was too large.
    
    In practice, the only thing we ever did when we got this error was log
    it (if the mspc channel is closed, then the app is likely shutting down
    or something, so there's not much to do...), so this finally motivated
    me to introduce `AppEventSender`, which wraps
    `std::sync::mpsc::Sender<AppEvent>` with a `send()` method that invokes
    `send()` on the underlying `Sender` and logs an `Err` if it gets one.
    
    This greatly simplifies the code, as many functions that previously
    returned `Result<(), SendError<AppEvent>>` now return `()`, so we don't
    have to propagate an `Err` all over the place that we don't really
    handle, anyway.
    
    This also makes it so we can upgrade to Rust 1.87 in CI.
  • chore: pin Rust version to 1.86 and use io::Error::other to prepare for 1.87 (#947)
    Previously, our GitHub actions specified the Rust toolchain as
    `dtolnay/rust-toolchain@stable`, which meant the version could change
    out from under us. In this case, the move from 1.86 to 1.87 introduced
    new clippy warnings, causing build failures.
    
    Because it will take a little time to fix all the new clippy warnings,
    this PR pins things to 1.86 for now to unbreak the build.
    
    It also replaces `io::Error::new(io::ErrorKind::Other)` with
    `io::Error::other()` in preparation for 1.87.
  • Add codespell support (config, workflow to detect/not fix) and make it fix some typos (#903)
    More about codespell: https://github.com/codespell-project/codespell .
    
    I personally introduced it to dozens if not hundreds of projects already
    and so far only positive feedback.
    
    CI workflow has 'permissions' set only to 'read' so also should be safe.
    
    Let me know if just want to take typo fixes in and get rid of the CI
    
    ---------
    
    Signed-off-by: Yaroslav O. Halchenko <debian@onerussian.com>
  • fix: use continue-on-error: true to tidy up GitHub Action (#871)
    I installed the GitHub Actions extension for VS Code and it started
    giving me lint warnings about this line:
    
    
    https://github.com/openai/codex/blob/a9adb4175c8f19a97e50be53cb6f8fe7ef159762/.github/workflows/rust-ci.yml#L99
    
    Using an env var to track the state of individual steps was not great,
    so I did some research about GitHub actions, which led to the discovery
    of combining `continue-on-error: true` with `if .. steps.STEP.outcome ==
    'failure'...`.
    
    Apparently there is also a `failure()` macro that is supposed to make
    this simpler, but I saw a number of complains online about it not
    working as expected. Checking `outcome` seems maybe more reliable at the
    cost of being slightly more verbose.
  • fix: enable clippy on tests (#870)
    https://github.com/openai/codex/pull/855 added the clippy warning to
    disallow `unwrap()`, but apparently we were not verifying that tests
    were "clippy clean" in CI, so I ended up with a lot of local errors in
    VS Code.
    
    This turns on the check in CI and fixes the offenders.
  • chore: introduce codex-common crate (#843)
    I started this PR because I wanted to share the `format_duration()`
    utility function in `codex-rs/exec/src/event_processor.rs` with the TUI.
    The question was: where to put it?
    
    `core` should have as few dependencies as possible, so moving it there
    would introduce a dependency on `chrono`, which seemed undesirable.
    `core` already had this `cli` feature to deal with a similar situation
    around sharing common utility functions, so I decided to:
    
    * make `core` feature-free
    * introduce `common`
    * `common` can have as many "special interest" features as it needs,
    each of which can declare their own deps
    * the first two features of common are `cli` and `elapsed`
    
    In practice, this meant updating a number of `Cargo.toml` files,
    replacing this line:
    
    ```toml
    codex-core = { path = "../core", features = ["cli"] }
    ```
    
    with these:
    
    ```toml
    codex-core = { path = "../core" }
    codex-common = { path = "../common", features = ["cli"] }
    ```
    
    Moving `format_duration()` into its own file gave it some "breathing
    room" to add a unit test, so I had Codex generate some tests and new
    support for durations over 1 minute.
  • fix: build all crates individually as part of CI (#833)
    I discovered that `cargo build` worked for the entire workspace, but not
    for the `mcp-client` or `core` crates.
    
    * `mcp-client` failed to build because it underspecified the set of
    features it needed from `tokio`.
    * `core` failed to build because it was using a "feature" of its own
    crate in the default, no-feature version.
     
    This PR fixes the builds and adds a check in CI to defend against this
    sort of thing going forward.
  • chore: make build process a single script to run (#757)
    This introduces `./codex-cli/scripts/stage_release.sh`, which is a shell
    script that stages a release for the Node.js module in a temp directory.
    It updates the release to include these native binaries:
    
    ```
    bin/codex-linux-sandbox-arm64
    bin/codex-linux-sandbox-x64
    ```
    
    though this PR does not update Codex CLI to use them yet.
    
    When doing local development, run
    `./codex-cli/scripts/install_native_deps.sh` to install these in your
    own `bin/` folder.
    
    This PR also updates `README.md` to document the new workflow.
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/757).
    * #763
    * __->__ #757
  • chore: mark Rust releases as "prerelease" (#761)
    Apparently the URLs for draft releases cannot be downloaded using
    unauthenticated `curl`, which means the DotSlash file only works for
    users who are authenticated with `gh`. According to chat, prereleases
    _can_ be fetched with unauthenticated `curl`, so let's try that.
  • chore: Rust release, set prerelease:false and version=0.0.2504301132 (#755)
    The generated DotSlash file has URLs that refer to
    `https://github.com/openai/codex/releases/`, so let's set
    `prerelease:false` (but keep `draft:true` for now) so those URLs should
    work.
    
    Also updated `version` in Cargo workspace so I will kick off a build
    once this lands.
  • fix: remove expected dot after v in rust-v tag name (#742)
    I think this extra dot was not intentional, but I'm not sure. Certainly
    this comment suggests it should not be there:
    
    
    https://github.com/openai/codex/blob/85999d72770832e2b1b457401c6c68d86e08344b/.github/workflows/rust-release.yml#L4
  • chore: fix errors in .github/workflows/rust-release.yml and prep 0.0.2504292006 release (#745)
    Apparently I made two key mistakes in
    https://github.com/openai/codex/pull/740 (fixed in this PR):
    
    * I forgot to redefine `$dest` in the `Stage Linux-only artifacts` step
    * I did not define the `if` check correctly in the `Stage Linux-only
    artifacts` step
    
    This fixes both of those issues and bumps the workspace version to
    `0.0.2504292006` in preparation for another release attempt.
  • fix: primary output of the codex-cli crate is named codex, not codex-cli (#743)
    I just got a bunch of failures in the release workflow:
    
    https://github.com/openai/codex/actions/runs/14745492805/job/41391926707
    
    along the lines of:
    
    ```
    cp: cannot stat 'target/aarch64-unknown-linux-gnu/release/codex-cli': No such file or directory
    ```
  • feat: codex-linux-sandbox standalone executable (#740)
    This introduces a standalone executable that run the equivalent of the
    `codex debug landlock` subcommand and updates `rust-release.yml` to
    include it in the release.
    
    The idea is that we will include this small binary with the TypeScript
    CLI to provide support for Linux sandboxing.
  • [codex-rs] Add rust-release action (#671)
    Taking a pass at building artifacts per platform so we can consider
    different distribution strategies that don't require users to install
    the full `cargo` toolchain.
    
    Right now this grabs just the `codex-repl` and `codex-tui` bins for 5
    different targets and bundles them into a draft release. I think a
    clearly marked pre-release set of artifacts will unblock the next step
    of testing.
  • ci: build Rust on Windows as part of CI (#665)
    While we aren't ready to provide Windows binaries of Codex CLI, it seems
    like a good idea to ensure we guard platform-specific code
    appropriately.
  • [codex-rs] CI performance for rust (#639)
    * Refactors the rust-ci into a matrix build
    * Adds directory caching for the build artifacts
    * Adds workflow dispatch for manual testing
  • fix: add RUST_BACKTRACE=full when running cargo test in CI (#638)
    This should provide more information in the event of a failure.
  • fix: only run rust-ci.yml on PRs that modify files in codex-rs (#637)
    The `rust-ci.yml` build appears to be a bit flaky (we're looking into
    it...), so to save TypeScript contributors some noise, restrict the
    `rust-ci.yml` job so that it only runs on PRs that touch files in
    `codex-rs/`.
  • feat: initial import of Rust implementation of Codex CLI in codex-rs/ (#629)
    As stated in `codex-rs/README.md`:
    
    Today, Codex CLI is written in TypeScript and requires Node.js 22+ to
    run it. For a number of users, this runtime requirement inhibits
    adoption: they would be better served by a standalone executable. As
    maintainers, we want Codex to run efficiently in a wide range of
    environments with minimal overhead. We also want to take advantage of
    operating system-specific APIs to provide better sandboxing, where
    possible.
    
    To that end, we are moving forward with a Rust implementation of Codex
    CLI contained in this folder, which has the following benefits:
    
    - The CLI compiles to small, standalone, platform-specific binaries.
    - Can make direct, native calls to
    [seccomp](https://man7.org/linux/man-pages/man2/seccomp.2.html) and
    [landlock](https://man7.org/linux/man-pages/man7/landlock.7.html) in
    order to support sandboxing on Linux.
    - No runtime garbage collection, resulting in lower memory consumption
    and better, more predictable performance.
    
    Currently, the Rust implementation is materially behind the TypeScript
    implementation in functionality, so continue to use the TypeScript
    implmentation for the time being. We will publish native executables via
    GitHub Releases as soon as we feel the Rust version is usable.
  • add check to ensure ToC in README.md matches headings in the file (#541)
    This introduces a Python script (written by Codex!) to verify that the
    table of contents in the root `README.md` matches the headings. Like
    `scripts/asciicheck.py` in https://github.com/openai/codex/pull/513, it
    reports differences by default (and exits non-zero if there are any) and
    also has a `--fix` option to synchronize the ToC with the headings.
    
    This will be enforced by CI and the changes to `README.md` in this PR
    were generated by the script, so you can see that our ToC was missing
    some entries prior to this PR.
  • Enforce ASCII in README.md (#513)
    This all started because I was going to write a script to autogenerate
    the Table of Contents in the root `README.md`, but I noticed that the
    `href` for the "Why Codex?" heading was `#whycodex` instead of
    `#why-codex`. This piqued my curiosity and it turned out that the space
    in "Why Codex?" was not an ASCII space but **U+00A0**, a non-breaking
    space, and so GitHub ignored it when generating the `href` for the
    heading.
    
    This also meant that when I did a text search for `why codex` in the
    `README.md` in VS Code, the "Why Codex" heading did not match because of
    the presence of **U+00A0**.
    
    In short, these types of Unicode characters seem like a hazard, so I
    decided to introduce this script to flag them, and if desired, to
    replace them with "good enough" ASCII equivalents. For now, this only
    applies to the root `README.md` file, but I think we should ultimately
    apply this across our source code, as well, as we seem to have quite a
    lot of non-ASCII Unicode and it's probably going to cause `rg` to miss
    things.
    
    Contributions of this PR:
    
    * `./scripts/asciicheck.py`, which takes a list of filepaths and returns
    non-zero if any of them contain non-ASCII characters. (Currently, there
    is one exception for  aka **U+2728**, though I would like to default to
    an empty allowlist and then require all exceptions to be specified as
    flags.)
    * A `--fix` option that will attempt to rewrite files with violations
    using a equivalents from a hardcoded substitution list.
    * An update to `ci.yml` to verify `./scripts/asciicheck.py README.md`
    succeeds.
    * A cleanup of `README.md` using the `--fix` option as well as some
    editorial decisions on my part.
    * I tried to update the `href`s in the Table of Contents to reflect the
    changes in the heading titles. (TIL that if a heading has a character
    like `&` surrounded by spaces, it becomes `--` in the generated `href`.)