charley-oai

This commit implements a **bug fix** and **refactoring** within the **`codex-rs/core`** module by **deferring the injection of initial context** for forked sessions. Previously, initial context was duplicated by being injected at fork startup and again on the first turn; this change now preserves the `reference_context_item` as the baseline until the first real user turn. Consequently, **forked sessions** now behave consistently with resume operations regarding context seeding, preventing redundant model-visible context in child rollouts. This involved updating various **test cases and snapshots** related to fork history and context handling, and adding a `TODO` in `build_settings_update_items` for future refinement.

This commit introduces a **fix** to the **`context_manager`** in `codex-rs/core` by implementing logic to **trim contiguous pre-turn context updates** during a **rollback** operation. Specifically, it prevents the incorrect retention or duplication of developer and contextual-user messages when the history is rolled back to a user turn, ensuring a clean context state. New helper functions in `codex-rs/core/src/event_mapping.rs` facilitate the identification of these contextual message fragments for accurate trimming. This **improves the robustness of conversational history management** and is verified by new and updated regression tests, including snapshot updates for `compact_resume_fork`, to guarantee correct context state after rollbacks.

This commit **stabilizes a flaky test**, `compact_resume_after_second_compaction_preserves_history`, within the **`codex-core`** test suite. It **refactors the test setup** in `codex-rs/core/tests/suite/compact_resume_fork.rs` to use a single, ordered sequence of SSE responses, eliminating duplicate request captures that caused non-determinism. Assertions now check the true recorded request order, ensuring the test reliably verifies history preservation after second compaction. This **maintenance fix** improves test reliability by making the test deterministic, with changes scoped exclusively to the test environment.

This commit introduces **new capabilities** to the **`ThreadManager`** by adding `ForkSnapshotMode` to `fork_thread`, enabling callers to specify whether a forked thread should start from a committed, interrupted, or truncated state. This **refactoring** updates various call sites in the `app-server` and `tui` modules to leverage these new modes, particularly `ForkSnapshot::Interrupted` for handling conversational interruptions. Additionally, a **bug fix** in `rollout/truncation.rs` corrects the history truncation logic to ensure full rollouts are returned when appropriate. This enhancement provides more flexible thread branching, allowing features like `/btw` to interrupt and fork a thread similarly to an `Esc` key press, thereby improving the conversational flow.

This commit introduces a **new snapshot test** in `codex-rs/core/tests/suite/compact_resume_fork.rs` to expose a regression in the **rollback functionality**. Specifically, it demonstrates how **contextual diffs are duplicated** in the model-visible request input after a rollback, due to live session overrides not being rewound. This **maintenance** change provides a canonical regression test, making the issue visible and offering a direct reproduction for future fixes to the **rollback and context reconstruction** logic. The new test, `snapshot_rollback_followup_turn_duplicates_context_updates`, captures the exact request input to highlight this duplication.

This commit **improves error handling** within the **guardian review process** by capturing the last guardian API `EventMsg::Error`. If a review completes without an assessment payload, this captured error is now reused as the **denial rationale**, providing more specific feedback to the user. This **bug fix** affects the `wait_for_guardian_review` function in `codex-rs/core/src/guardian/review_session.rs` and ensures that **Responses API errors** are properly surfaced. A new regression test has been added to verify the `/responses` HTTP 400 path behavior, enhancing the robustness of the system.

This commit introduces a **new capability** to gracefully handle user input during non-steerable turns, such as when a manual `/compact` command is active. The **app-server protocol** is extended with `ActiveTurnNotSteerableCodexErrorInfo` to communicate these states, and the **core logic** now explicitly rejects steering during these periods. Crucially, the **Text User Interface (TUI)** and **TUI App Server** are updated to **queue user messages** submitted during non-steerable turns, displaying them in a pending input preview until the turn concludes. This **user experience improvement** prevents loss of input and provides clear visual feedback, ensuring follow-up messages are processed correctly once the system is ready. Extensive **regression tests** have been added to validate this new queuing and input restoration behavior.

This commit introduces a **new capability** for the **TUI (Terminal User Interface)**, enabling users to edit the most recent queued message using `Shift+Left` when operating within a `tmux` session. This **feature enhancement** is applied across both the **TUI** and **TUI App Server** components, specifically updating the `chatwidget`'s keybinding logic and the `pending_input_preview`'s rendering. Extensive **test coverage** and snapshots have been added to validate the new `tmux`-specific behavior and the displayed hint. This change significantly improves the user experience for individuals utilizing the application within `tmux` by providing a more intuitive and consistent shortcut for message editing.

This commit introduces a **new snapshot test** within the **`core` module** to capture and verify the existing behavior of **fork startup context injection** combined with first-turn diff injection. A new Tokio test, `fork_startup_context_then_first_turn_diff_snapshot`, is added to `codex-rs/core/src/codex_tests.rs` along with its corresponding snapshot file. This **maintenance** task explicitly documents the current "duplicated startup-plus-turn context behavior" without altering any runtime logic. The primary goal is to establish a baseline for this critical **startup context injection** mechanism, enhancing the **testing infrastructure** to prevent future regressions.

This commit **removes a legacy configuration migration** from the **core configuration loading** mechanism within the `codex-core` module. Specifically, it stops rewriting the deprecated `smart_approvals` configuration key to `guardian_approval` and ceases backfilling `approvals_reviewer = "guardian_subagent"`. As a result, the `smart_approvals` key is now **ignored** in both root and profile scopes, simplifying configuration handling. This is a **maintenance cleanup** that streamlines the configuration system by removing outdated compatibility logic and associated tests.

This commit introduces a **new feature** and **performance optimization** within the **Guardian review session** of the `codex-rs/core` module. It adds a **developer reminder** for follow-up reviews, ensuring users are prompted before reusing prior review states, which is implemented via the `append_guardian_followup_reminder` function. Concurrently, it **optimizes performance** by caching the prior-review state directly on the guardian session, thereby avoiding redundant full history rescans on subsequent requests. This enhancement improves developer workflow and system efficiency, with corresponding updates to **snapshot tests** and **unit tests** to validate the new reminder's layout and inclusion.

This commit **enhances the `codex-state` module's log management** by aligning SQLite feedback logs with the in-memory feedback formatter, specifically for `/feedback` exports. It introduces a new `feedback_log_body` column in the `logs` table, storing pre-rendered log content that includes span prefixes and structured event fields, ensuring **`/feedback` exports maintain fidelity**. The **log insertion logic** in `log_db.rs` is updated to capture this formatted body at write time, and **feedback query and truncation mechanisms** in `runtime/logs.rs` are refactored to utilize this new column. This **feature enhancement** also integrates `feedback_log_body` into the retention budget for correct pruning and optimizes feedback export queries with a SQL-side byte cap.

This commit **refactors** the source of truth for `guardian_developer_instructions`, moving this critical prompt override from backend-managed configuration to **workspace-managed `requirements.toml`**. This introduces a **new capability** for administrators to define or override the **Guardian system's** prompt via enterprise policies, affecting the **configuration loading mechanism** across `codex-rs`. The Guardian will now prioritize this workspace-defined override, falling back to a bundled default if not present, enabling more agile policy updates through the **workspace Policies UI**. This change ensures the Guardian prompt is an admin-managed policy input, not a user preference, streamlining policy management for the **Guardian system**.

This commit introduces a significant **enhancement** to the **Guardian approval subsystem** by implementing a `GuardianReviewSessionManager` to **reuse the Guardian subagent session** across multiple approvals. This change **improves performance** by avoiding one-shot startup overhead and ensures a stable prompt cache key, while also preventing "prompt bleed" by clearing the subagent's history before each review. Concurrently, it performs a **major refactoring** of the Guardian module structure and renames the `smart_approvals` feature flag to `guardian_approval` across the **core configuration** and **TUI**, streamlining the codebase and user-facing terminology. This work results in faster, more reliable, and consistent Guardian review experiences, with added regression coverage for prompt cache key reuse.

This commit **fixes a bug** in the **turn context reconstruction** mechanism within the `codex-rs/core` module, specifically addressing issues that arose after **backtracking** operations. It reuses existing **rollout reconstruction logic** during backtrack rollbacks to ensure the `reference_context_item` is accurately restored from persisted rollout state, preventing misalignment in turn-context diffing. The change also optimizes rollback replay by building it directly from flushed rollout items, avoiding redundant data re-reads. A new **regression test** has been added to `codex-rs/core/src/codex_tests.rs` to validate correct behavior after compaction, ensuring the integrity of turn-context diffing.

This commit **fixes a compilation error** within the **`codex-core` testing suite** by updating a stale function reference. Specifically, it replaces the `create_wait_tool()` call with the correct `create_wait_agent_tool()` in `codex-rs/core/src/tools/spec_tests.rs`. This **maintenance bug fix** resolves a "cannot find function" error that arose after a previous refactoring renamed the multi-agent tool creation helper. The change ensures the spec tests for the **multi-agent toolset** compile and run correctly, maintaining the integrity of the test suite.

Add Smart Approvals guardian review across core, app-server, and TUI (#13860)

This commit **fixes test regressions** in the **`codex-core`** module by updating stale tool-spec expectations. It renames the expected tool from `wait` to `wait_agent` in various **core tool specification tests** within `codex-rs/core/src/tools/spec_tests.rs`. Additionally, the **prompt caching consistency test** in `codex-rs/core/tests/suite/prompt_caching.rs` is updated to assert against the correct `wait_agent` tool name. This **maintenance** work ensures that the **tooling infrastructure** and **prompt caching validation** accurately reflect the recent renaming of the multi-agent wait tool, resolving issues introduced by a prior change.

This commit **refactors** the **`codex-rs/core`** module to **defer the insertion of initial conversation context** until the first real user turn, rather than seeding model-visible context during session startup. This change impacts the **conversation context management** and **history recording** by ensuring that developer-visible context, such as permissions and environment details, is only injected when a user interaction occurs. Consequently, **first-turn request layouts** will no longer contain pre-user startup context, affecting **compaction behavior** and requiring extensive updates to **deterministic snapshot tests** across various scenarios, including collaboration instructions and personality updates. A **new regression test** was also added to specifically verify this deferred context insertion for new sessions.

This commit performs significant **refactoring and maintenance** on the **guardian approval system** to enhance clarity, consistency, and internal plumbing. It **neutralizes user-facing terminology** from "guardian" or "second reviewer" to "automatic approval review" across the UI and internal prompts, including renaming the experimental feature in `codex-rs/core/src/features.rs`. The changes also **streamline the guardian's internal logic** by removing model-visible guardian-specific prompt additions from `codex-rs/protocol/src/models.rs`, tightening retry-context handling to prevent agent justifications from being injected as raw context, and simplifying review plumbing by deleting dead code paths in `codex-rs/core/src/guardian.rs`. This ensures a more robust and user-friendly experience for the **automatic approval review** feature across various **tool executions** like shell, network, and MCP.