Audit Codex CLI app-server parity for Every Code

[shiny-code-bot]

Current Status

State: Audit complete; follow-up issues created.
Next action: Start #225 first. Keep #226 and #227 parked until the desktop/app-server client direction in #217/#37 is chosen.
Blocked by: None.
Waiting for: Implementation slot for #225; product decision for #226/#227.
Last verified: 2026-05-30.

Audit result:

• Import/adapt now: Harden Every Code app-server websocket transport #225 hardens Every Code's existing app-server websocket transport. This is real product hardening because current code-rs/app-server/src/transport.rs accepts raw websocket connections and the app-server exposes command-capable requests such as ExecOneOffCommand.
• Defer behind desktop/app-server direction: Add initial turns page to app-server thread resume #226 adds an optional initial turns page to v2 thread/resume; Define app-server remote history redaction policy #227 defines remote-client history redaction. Both are valuable only if Every Code makes v2 app-server thread lifecycle a real client surface.
• Already handled/non-applicable: Assess and port exec-server filesystem helper lifecycle hardening #215 showed exec-server filesystem helper lifecycle fixes do not apply to editable code-rs; current Every Code has no editable code-rs/exec-server crate or upstream fs/watch app-server runtime surface.
• Reject as blind parity: Codex-specific remote-control server-token/enrollment/reconnect/stall commits are tied to ChatGPT remote-control infrastructure that Every Code does not currently ship. Treat desktop remote compatibility as Investigate Codex desktop app remote control compatibility #217/Evaluate upstream app-server remote-control support #37 design work, not a wholesale port.

Useful upstream commits considered:

• a027135bc6 Origin-header rejection for exec-server websocket requests; adapt the browser-Origin hardening to Every Code app-server in Harden Every Code app-server websocket transport #225.
• 51bfb5f3b1 app-server websocket listener with auth guard; adapt the trust-boundary decision in Harden Every Code app-server websocket transport #225.
• 1509ae6d8d local-only app-server gating through processors; audit command-capable methods in Harden Every Code app-server websocket transport #225.
• 2a1158b8e2 initial turns page on thread/resume; parked as Add initial turns page to app-server thread resume #226.
• 7bddb3083d remote-client thread-history redaction; parked as Define app-server remote history redaction policy #227.
• 522f549922, c579da41b1, de80fa6e31, 64ead6a83a, c57dee98b7 are watcher/exec-server robustness changes with no direct editable Every Code surface today.

Finish Line

Every Code has a ranked app-server parity matrix for Codex CLI changes since the fork, with each candidate classified as import, adapt, reject, or already covered.

Acceptance Criteria

• Identify Codex CLI app-server, app-server-protocol, remote-control, session lifecycle, thread resume, file-watch, and auth/server changes since the fork point.
• Compare each against Every Code's editable app-server implementation under code-rs.
• Classify candidates by product value: hardening, user-visible capability, compatibility, or reject/no benefit.
• Produce scoped follow-up issues only for candidates that improve Every Code meaningfully.
• Explicitly avoid porting for the sake of parity alone.

Notes

This exists because Every Code did build a version of the Codex app server, so a broad Codex CLI scan should not stop at TUI/core candidates. The output should guide product-hardening work, not become a mechanical checklist.

Relationships

• Parent upstream intake: Check upstream changes from just-every/code and openai/codex #124.
• Created from this audit: Harden Every Code app-server websocket transport #225, Add initial turns page to app-server thread resume #226, Define app-server remote history redaction policy #227.
• Existing remote/desktop design context: Investigate Codex desktop app remote control compatibility #217 and Evaluate upstream app-server remote-control support #37.
• Completed related work: Port stale multi-agent slot cleanup from Codex CLI #214 stale multi-agent slot cleanup; Assess and port exec-server filesystem helper lifecycle hardening #215 exec-server filesystem helper lifecycle assessment.

[shiny-code-bot]

Closing because the Codex CLI app-server parity audit is complete and the meaningful work has been split into focused follow-ups.

Outcome:

• Harden Every Code app-server websocket transport #225 is the do-now hardening candidate: app-server websocket transport should reject browser-origin handshakes and avoid unauthenticated non-loopback exposure while command-capable methods exist.
• Add initial turns page to app-server thread resume #226 is parked for desktop/app-server direction: optional initial turns page on v2 thread/resume.
• Define app-server remote history redaction policy #227 is parked for desktop/app-server direction: explicit remote history redaction policy.
• Watcher and exec-server commits from OpenAI Codex do not currently map to editable Every Code surfaces, so they are not port candidates today.
• Codex-specific remote-control server-token/enrollment/reconnect work should feed Investigate Codex desktop app remote control compatibility #217/Evaluate upstream app-server remote-control support #37 as design input, not be ported wholesale.

This keeps the "no parity-only ports" rule intact: one immediate hardening task, two deferred app-server-client tasks, and everything else rejected or held until the product surface exists.