Merged
Conversation
## Why
`PermissionProfile` is becoming the canonical permissions abstraction,
but the old shape only carried optional filesystem and network fields.
It could describe allowed access, but not who is responsible for
enforcing it. That made `DangerFullAccess` and `ExternalSandbox` lossy
when profiles were exported, cached, or round-tripped through app-server
APIs.
The important model change is that active permissions are now a disjoint
union over the enforcement mode. Conceptually:
```rust
pub enum PermissionProfile {
Managed {
file_system: FileSystemSandboxPolicy,
network: NetworkSandboxPolicy,
},
Disabled,
External {
network: NetworkSandboxPolicy,
},
}
```
This distinction matters because `Disabled` means Codex should apply no
outer sandbox at all, while `External` means filesystem isolation is
owned by an outside caller. Those are not equivalent to a broad managed
sandbox. For example, macOS cannot nest Seatbelt inside Seatbelt, so an
inner sandbox may require the outer Codex layer to use no sandbox rather
than a permissive one.
## How Existing Modeling Maps
Legacy `SandboxPolicy` remains a boundary projection, but it now maps
into the higher-fidelity profile model:
- `ReadOnly` and `WorkspaceWrite` map to `PermissionProfile::Managed`
with restricted filesystem entries plus the corresponding network
policy.
- `DangerFullAccess` maps to `PermissionProfile::Disabled`, preserving
the “no outer sandbox” intent instead of treating it as a lax managed
sandbox.
- `ExternalSandbox { network_access }` maps to
`PermissionProfile::External { network }`, preserving external
filesystem enforcement while still carrying the active network policy.
- Split runtime policies that legacy `SandboxPolicy` cannot faithfully
express, such as managed unrestricted filesystem plus restricted
network, stay `Managed` instead of being collapsed into
`ExternalSandbox`.
- Per-command/session/turn grants remain partial overlays via
`AdditionalPermissionProfile`; full `PermissionProfile` is reserved for
complete active runtime permissions.
## What Changed
- Change active `PermissionProfile` into a tagged union: `managed`,
`disabled`, and `external`.
- Keep partial permission grants separate with
`AdditionalPermissionProfile` for command/session/turn overlays.
- Represent managed filesystem permissions as either `restricted`
entries or `unrestricted`; `glob_scan_max_depth` is non-zero when
present.
- Preserve old rollout compatibility by accepting the pre-tagged `{
network, file_system }` profile shape during deserialization.
- Preserve fidelity for important edge cases: `DangerFullAccess`
round-trips as `disabled`, `ExternalSandbox` round-trips as `external`,
and managed unrestricted filesystem + restricted network stays managed
instead of being mistaken for external enforcement.
- Preserve configured deny-read entries and bounded glob scan depth when
full profiles are projected back into runtime policies, including
unrestricted replacements that now become `:root = write` plus deny
entries.
- Regenerate the experimental app-server v2 JSON/TypeScript schema and
update the `command/exec` README example for the tagged
`permissionProfile` shape.
## Compatibility
Legacy `SandboxPolicy` remains available at config/API boundaries as the
compatibility projection. Existing rollout lines with the old
`PermissionProfile` shape continue to load. The app-server
`permissionProfile` field is experimental, so its v2 wire shape is
intentionally updated to match the higher-fidelity model.
## Verification
- `just write-app-server-schema`
- `cargo check --tests`
- `cargo test -p codex-protocol permission_profile`
- `cargo test -p codex-protocol
preserving_deny_entries_keeps_unrestricted_policy_enforceable`
- `cargo test -p codex-app-server-protocol
permission_profile_file_system_permissions`
- `cargo test -p codex-app-server-protocol serialize_client_response`
- `cargo test -p codex-core
session_configured_reports_permission_profile_for_external_sandbox`
- `just fix`
- `just fix -p codex-protocol`
- `just fix -p codex-app-server-protocol`
- `just fix -p codex-core`
- `just fix -p codex-app-server`
Fixes openai#19257. ## Summary Agent roles declared in config layers can set `config_file` to a relative path, but deserializing the layer-local `[agents.*]` table happened without an `AbsolutePathBuf` base path. That caused configs like `config_file = "agents/my-role.toml"` to fail with `AbsolutePathBuf deserialized without a base path`. This updates agent role layer loading to deserialize `[agents.*]` while the layer config folder is active as the path base, matching the behavior documented for `AgentRoleToml.config_file`. It also adds coverage for a user config layer with a relative agent role `config_file`.
## Why A rerun of the Windows Bazel clippy job after [openai#19161](openai#19161) had exactly the cache behavior we wanted in BuildBuddy: zero action-cache misses. Even so, the GitHub job still took a little over five minutes. The problem was that the job was paying for two separate Bazel startup paths: 1. a `bazel query` to discover extra lint targets 2. the real `bazel build --config=clippy ...` invocation On Windows, that query was bypassing the CI Bazel wrapper, so it did not reuse the same `--output_user_root`, CI config, or remote-cache setup as the real build. In practice that meant the rerun could still cold-start a separate Bazel server before the actual clippy build even began. ## What - add `.github/scripts/run-bazel-query-ci.sh` to run CI-side Bazel queries with the same startup and cache-related flags as the main Bazel command - switch `scripts/list-bazel-clippy-targets.sh` to use that helper for manual `rust_test` target discovery - switch `tools/argument-comment-lint/list-bazel-targets.sh` to use the same helper - simplify `.github/scripts/run-argument-comment-lint-bazel.sh` so its Windows-only query path also goes through the shared helper This keeps the target-discovery queries aligned with the later build/test invocation instead of treating them as a separate cold Bazel session. ## Verification - `bash -n .github/scripts/run-bazel-query-ci.sh` - `bash -n scripts/list-bazel-clippy-targets.sh` - `bash -n tools/argument-comment-lint/list-bazel-targets.sh` - `bash -n .github/scripts/run-argument-comment-lint-bazel.sh` - mocked a Windows invocation of `run-bazel-query-ci.sh` and verified it forwards `--output_user_root`, `--config=ci-windows`, the BuildBuddy auth header, and the repository cache flags ## Docs No documentation updates are needed.
## Summary
`codex.emitImage` accepted arbitrary image MIME types for byte payloads
and data URLs. That allowed a value like `image/rgba` to be wrapped as
an `input_image`, even though it is not a supported encoded image
format, so the invalid image could reach the model-input path and
trigger output sanitization.
This results in a panic in debug builds because the output sanitization
is meant as a final safety net, not a primary means of rejecting invalid
image types. I've hit this case multiple times when executing certain
long-running tasks.
This PR rejects unsupported image MIME types before they are emitted
from `js_repl`.
## Changes
- Validate `codex.emitImage({ bytes, mimeType })` in the JS kernel so
only encoded PNG, JPEG, WebP, or GIF payloads are accepted.
- Apply the same MIME allowlist to direct image data URLs, including the
Rust host-side validation path.
- Clarify the JS REPL instructions so agents know byte payloads must
already be encoded as PNG/JPEG/WebP/GIF.
we were not respecting turn's `truncation_policy` to clamp output tokens for `unified_exec` and `write_stdin`. this meant truncation was only being applied by `ContextManager` before the output was stored in-memory (so it _was_ being truncated from model-visible context), but the full output was persisted to rollout on disk. now we respect that `truncation_policy` and `ContextManager`-level truncation remains a backup. ### Tests added tests, tested locally.
## Summary Fixes openai#19275. Codex runtime rejects inline MCP `bearer_token` config entries and asks users to configure `bearer_token_env_var` instead, but the generated config schema still advertised `mcp_servers.<name>.bearer_token` as a supported field. That made editor/schema validation disagree with runtime validation. This keeps `bearer_token` in `RawMcpServerConfig` so Codex can continue producing the targeted runtime error for recent or existing configs, but skips the field during schemars generation. The checked-in `core/config.schema.json` fixture now exposes `bearer_token_env_var` without exposing unsupported inline `bearer_token`. ## Verification - Added `config_schema_hides_unsupported_inline_mcp_bearer_token` to assert the generated schema hides `bearer_token` while preserving `bearer_token_env_var`. - Ran `cargo test -p codex-config`. - Ran `cargo test -p codex-core config_schema`.
## Summary Fixes openai#19022. `codex exec --json` currently emits `turn.completed.usage` with input, cached input, and output token counts, but drops the reasoning-token split that Codex already receives through thread token usage updates. Programmatic consumers that rely on the JSON stream, especially ephemeral runs that do not write rollout files, need this field to accurately display reasoning-model usage. This PR adds `reasoning_output_tokens` to the public exec JSON `Usage` payload and maps it from the existing `ThreadTokenUsageUpdated` total token usage data. ## Verification - Added coverage to `event_processor_with_json_output::token_usage_update_is_emitted_on_turn_completion` so `turn.completed.usage.reasoning_output_tokens` is asserted. - Updated SDK expectations for `run()` and `runStreamed()` so TypeScript consumers see the new usage field. - Ran `cargo test -p codex-exec`. - Ran `pnpm --filter ./sdk/typescript run build`. - Ran `pnpm --filter ./sdk/typescript run lint`. - Ran `pnpm --filter ./sdk/typescript exec jest --runInBand --testTimeout=30000`.
Supersedes openai#18735. The scheduled rust-release-prepare workflow force-pushed `bot/update-models-json` back to the generated models.json-only diff, which dropped the test and snapshot updates needed for CI. This PR keeps the latest generated `models.json` from openai#18735 and adds the corresponding fixture updates: - preserve model availability NUX in the app-server model cache fixture - update core/TUI expectations for the new `gpt-5.4` `xhigh` default reasoning - refresh affected TUI chatwidget snapshots for the `gpt-5.5` default/model copy changes Validation run locally while preparing the fix: - `just fmt` - `cargo test -p codex-app-server model_list` - `cargo test -p codex-core includes_no_effort_in_request` - `cargo test -p codex-core includes_default_reasoning_effort_in_request_when_defined_by_model_info` - `cargo test -p codex-tui --lib chatwidget::tests` - `cargo insta pending-snapshots` --------- Co-authored-by: aibrahim-oai <219906144+aibrahim-oai@users.noreply.github.com>
- App-server integrations now support Unix socket transport, pagination-friendly resume/fork, sticky environments, and remote thread config/store plumbing. (openai#18255, openai#18892, openai#18897, openai#18908, openai#19008, openai#19014) - App-server plugin management can install remote plugins and upgrade configured marketplaces. (openai#18917, openai#19074) - Permission profiles now round-trip across TUI sessions, user turns, MCP sandbox state, shell escalation, and app-server APIs. (openai#18284, openai#18285, openai#18286, openai#18287, openai#19231) - Model providers now own model discovery, with AWS/Bedrock account state exposed to app clients. (openai#18950, openai#19048) - `codex exec --json` now reports reasoning-token usage for programmatic consumers. (openai#19308) - Rollout tracing now records tool, code-mode, session, and multi-agent relationships, with a debug reducer command for inspection. (openai#18878, openai#18879, openai#18880) ## Bug Fixes - Interrupting `/review` and exiting the TUI no longer leaves the interface wedged on delegate startup or unsubscribe. (openai#18921) - Exec-server no longer drops buffered output after process exit and now waits correctly for stream closure. (openai#18946, openai#19130) - App-server now respects explicitly untrusted project config instead of auto-persisting trust. (openai#18626) - WebSocket app-server clients are less likely to disconnect during bursts of turn and tool-output notifications. (openai#19246) - Windows sandbox startup handles multiple CLI versions and installed app directories better, and background `Start-Process` calls avoid visible PowerShell windows. (openai#19044, openai#19180, openai#19214) - Config/schema handling now rejects conflicting MultiAgentV2 thread limits, resolves relative agent-role config paths, hides unsupported MCP bearer-token fields, and rejects invalid `js_repl` image MIME types. (openai#19129, openai#19261, openai#19294, openai#19292) ## Documentation - App-server docs and generated schemas were refreshed for the new transport, thread, marketplace, sticky environment, and permission-profile APIs. (openai#18255, openai#18897, openai#19014, openai#19074, openai#19231) - Rollout-trace documentation now covers the debug trace reduction workflow. (openai#18880) ## Chores - Refreshed `models.json` and related core, app-server, SDK, and TUI fixtures for the latest model catalog and reasoning defaults. (openai#19323) - Windows Bazel CI now uses a stable PATH and shared query startup path for better cache reuse. (openai#19161, openai#19232) - Plugin marketplace add/remove/startup-sync internals moved out of `codex-core`, and curated plugin cache versions now use short SHAs. (openai#19099, openai#19095) - Reverted a macOS signing entitlement change after it caused alpha startup failures. (openai#19167, openai#19350) - Stabilized flaky approval-popup and plugin MCP tool-discovery tests. (openai#19178, openai#19191) ## Changelog Full Changelog: openai/codex@rust-v0.124.0...rust-v0.125.0 - openai#19129 Reject agents.max_threads with multi_agent_v2 @jif-oai - openai#19130 exec-server: wait for close after observed exit @jif-oai - openai#19149 Update safety check wording @etraut-openai - openai#18284 tui: sync session permission profiles @bolinfest - openai#18710 [codex] Fix plugin marketplace help usage @xli-oai - openai#19127 feat: drop spawned-agent context instructions @jif-oai - openai#18892 Add remote thread config loader protos @rasmusrygaard - openai#19014 Add excludeTurns parameter to thread/resume and thread/fork @ddr-oai - openai#18882 [codex] Route live thread writes through ThreadStore @wiltzius-openai - openai#19008 [codex] Implement remote thread store methods @wiltzius-openai - openai#18626 Respect explicit untrusted project config @etraut-openai - openai#18255 app-server: add Unix socket transport @euroelessar - openai#19167 ci: add macOS keychain entitlements @euroelessar - openai#19099 Move marketplace add/remove and startup sync out of core. @xl-openai - openai#19168 Use Auto-review wording for fallback rationale @maja-openai - openai#18908 Add remote thread config endpoint @rasmusrygaard - openai#18285 tui: carry permission profiles on user turns @bolinfest - openai#18286 mcp: include permission profiles in sandbox state @bolinfest - openai#18878 [rollout_trace] Trace tool and code-mode boundaries @cassirer-openai - openai#18287 shell-escalation: carry resolved permission profiles @bolinfest - openai#18946 fix(exec-server): retain output until streams close @bolinfest - openai#19074 Add app-server marketplace upgrade RPC @xli-oai - openai#19180 use a version-specific suffix for command runner binary in .sandbox-bin @iceweasel-oai - openai#19178 Stabilize approvals popup disabled-row test @etraut-openai - openai#18921 Fix /review interrupt and TUI exit wedges @etraut-openai - openai#19191 Stabilize plugin MCP tools test @etraut-openai - openai#19194 Mark hooks schema fixtures as generated @abhinav-oai - openai#18288 tests: isolate approval fixtures from host rules @bolinfest - openai#19044 guide Windows to use -WindowStyle Hidden for Start-Process calls @iceweasel-oai - openai#19214 do not attempt ACLs on installed codex dir @iceweasel-oai - openai#19161 ci: derive cache-stable Windows Bazel PATH @bolinfest - openai#18811 refactor: route Codex auth through AuthProvider @efrazer-oai - openai#19246 Increase app-server WebSocket outbound buffer @etraut-openai - openai#19048 feat: expose AWS account state from account/read @celia-oai - openai#18880 [rollout_trace] Add debug trace reduction command @cassirer-openai - openai#18897 Add sticky environment API and thread state @starr-openai - openai#18879 [rollout_trace] Trace sessions and multi-agent edges @cassirer-openai - openai#19095 feat: Use short SHA versions for curated plugin cache entries @xl-openai - openai#18950 feat: let model providers own model discovery @celia-oai - openai#19206 app-server: persist device key bindings in sqlite @euroelessar - openai#18917 [codex] Support remote plugin install writes @xli-oai - openai#19231 permissions: make profiles represent enforcement @bolinfest - openai#19261 Resolve relative agent role config paths from layers @etraut-openai - openai#19232 ci: reuse Bazel CI startup for target-discovery queries @bolinfest - openai#19292 Reject unsupported js_repl image MIME types @etraut-openai - openai#19247 chore: apply truncation policy to unified_exec @sayan-oai - openai#19294 Hide unsupported MCP bearer_token from config schema @etraut-openai - openai#19308 Surface reasoning tokens in exec JSON usage @etraut-openai - openai#19323 Update models.json and related fixtures @sayan-oai - openai#19350 fix alpha build @jif-oai
unemployabot
Bot
added
termux-release
…ermux into upstream/rust-v0.125.0 # Conflicts: # .github/termux-release.json # codex-rs/Cargo.toml # codex-rs/core/src/session/session.rs # codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs # codex-rs/protocol/src/approvals.rs # codex-rs/rollout-trace/src/tool_dispatch.rs # codex-rs/tui/src/app/thread_session_state.rs # codex-rs/tui/src/app_server_session.rs # codex-rs/tui/src/chatwidget/tests/composer_submission.rs
|
Termux Android artifact ready for testing:
You must be signed in to GitHub with repository access to download Actions artifacts. |
|
Termux Android artifact ready for testing:
You must be signed in to GitHub with repository access to download Actions artifacts. |
|
Termux Android artifact ready for testing:
You must be signed in to GitHub with repository access to download Actions artifacts. |
wallentx
approved these changes
Apr 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Termux release train
rust-v0.125.0rust-v0.125.0-termuxrelease/0.125.0wallentx/termux-targetMerging this PR is the manual approval gate. The release build workflow uploads the Android artifact to test; after merge, the deployment workflow attaches that exact artifact to
rust-v0.125.0-termuxand opens the checkpoint PR.Merge conflicts
Merging the upstream tag into the existing release train branch conflicted in GitHub Actions, so this PR was created from
refs/tags/rust-v0.125.0for manual resolution.Conflicted paths from the failed integration attempt:
Upstream notes
New Features
codex exec --jsonnow reports reasoning-token usage for programmatic consumers. (Surface reasoning tokens in exec JSON usage openai/codex#19308)Bug Fixes
/reviewand exiting the TUI no longer leaves the interface wedged on delegate startup or unsubscribe. (Fix /review interrupt and TUI exit wedges openai/codex#18921)Start-Processcalls avoid visible PowerShell windows. (guide Windows to use -WindowStyle Hidden for Start-Process calls openai/codex#19044, use a version-specific suffix for command runner binary in .sandbox-bin openai/codex#19180, do not attempt ACLs on installed codex dir openai/codex#19214)js_replimage MIME types. (Reject agents.max_threads with multi_agent_v2 openai/codex#19129, Resolve relative agent role config paths from layers openai/codex#19261, Hide unsupported MCP bearer_token from config schema openai/codex#19294, Reject unsupported js_repl image MIME types openai/codex#19292)Documentation
Chores
models.jsonand related core, app-server, SDK, and TUI fixtures for the latest model catalog and reasoning defaults. (Update models.json and related fixtures openai/codex#19323)codex-core, and curated plugin cache versions now use short SHAs. (Move marketplace add/remove and startup sync out of core. openai/codex#19099, feat: Use short SHA versions for curated plugin cache entries openai/codex#19095)Changelog
Full Changelog: openai/codex@rust-v0.124.0...rust-v0.125.0