joshka-oai

This commit **extends custom CA handling** to a wider range of **HTTPS clients** and **secure websocket TLS connections** across Codex, **refactoring** the logic into the shared `codex-client` module. This **enhancement** centralizes the application of `CODEX_CA_CERTIFICATE` or `SSL_CERT_FILE` environment variables, ensuring consistent support for custom trust roots. Consequently, critical components such as `backend-client`, `cloud-tasks`, `rmcp-client`, `codex-core`'s default client, and `codex-api`'s websocket clients now reliably function in **enterprise proxy/intercept setups**.

This commit introduces **custom CA certificate support** for the **`login` subsystem**, enabling users to authenticate successfully in environments with **enterprise TLS interception**. It provides a **new capability** for both **browser-based** and **device-code** login flows to trust custom root certificates by setting the `CODEX_CA_CERTIFICATE` environment variable, with fallback to `SSL_CERT_FILE` or system roots. This change enhances robustness by tolerating various PEM file formats and provides clear error messages for misconfigurations, significantly improving the user experience for enterprise deployments. The core logic resides in a new `codex-rs/login/src/custom_ca.rs` module, accompanied by comprehensive subprocess tests and updated `docs/config.md`.

This commit **refines key event handling** within the **TUI's composer** to prevent multi-agent fast-switch shortcuts from interfering with word-wise text editing. Specifically, agent-switching key combinations like `Option+b` and `Option+f` will now only trigger when the composer is empty, allowing them to function as standard word-motion commands when text is present. This **behavior adjustment** in `handle_key_event` within `codex-rs/tui/src/app.rs` ensures a more predictable and intuitive **user experience** for text input. New test cases were added to `codex-rs/tui/src/multi_agents.rs` to validate this improved shortcut matching and fallback logic.

This commit performs **documentation maintenance** by **removing** the temporary planning artifact `docs/auth-login-logging-plan.md`. This file, which detailed the rationale for **authentication login diagnostics**, is no longer needed as its content has been integrated into code comments, tests, and existing implementation notes. The change **reduces documentation overhead** and eliminates a duplicate maintenance surface, ensuring that the project's documentation remains concise and up-to-date.

This commit introduces **enhanced diagnostic logging** for authentication login flows, significantly improving **troubleshooting and support** for login failures. It adds **structured logging** to the core **OAuth login server** (`codex-rs/login` crate) for critical events like callback receipt, token exchange, and errors, including **sensitive data redaction** for security. Additionally, the **`codex login` CLI command** (`codex-rs/cli` crate) now generates a dedicated **file-backed log** at `codex-login.log`, providing a persistent artifact for both successful and failed login attempts. This new **observability feature** ensures consistent, detailed login diagnostics across CLI, TUI, Electron, and VS Code extension flows, making it easier to diagnose issues without exposing sensitive information.

This commit performs **test maintenance** by **increasing the `DEFAULT_READ_TIMEOUT`** constant from 20 seconds to 45 seconds within the `codex_message_processor_flow` test suite. This adjustment in `codex-rs/app-server/tests/suite/codex_message_processor_flow.rs` is a **fix for test flakiness**, specifically addressing issues observed on Windows ARM64 CI where tests sometimes exceeded the previous timeout. The change aims to **reduce intermittent test failures** caused by platform timing variations, ensuring more reliable and consistent test outcomes for the **`codex-app-server`** module without altering the test's intended behavior.

This commit **enforces synchronization** between `MODULE.bazel.lock` and `Cargo.lock` to prevent dependency drift within the **Bazel build system**. It introduces a new `check-module-bazel-lock.sh` script, integrated into **Bazel CI** and new `just` commands (`bazel-lock-update`, `bazel-lock-check`), which validates that `MODULE.bazel.lock` accurately reflects Cargo's dependency resolution. This **maintenance** and **tooling enhancement** significantly **improves developer experience** by catching lockfile inconsistencies early, ensuring consistent dependency resolution across the project. Furthermore, **developer documentation** in `AGENTS.md` and `codex-rs/docs/bazel.md` is updated to guide users on the new workflow for managing Bazel module lockfiles.

This commit provides a **bug fix** for the **`codex-rs/protocol` unit tests**, specifically addressing a **Bazel build failure**. Previously, a test in `codex-rs/protocol/src/models.rs` used `include_bytes!` to load a PNG from external assets, which caused compilation errors due to Bazel's sandboxing restrictions. The change **inlines a small, valid PNG** directly into the test, making it **hermetic** and resolving the incompatibility with Bazel's build environment. This ensures the `protocol-unit-tests` can now build successfully under Bazel.

This commit **updates the navigation links for Codex App tooltips** within the **TUI (Text User Interface)**. It modifies the `PAID_TOOLTIP` and `OTHER_TOOLTIP` constants in `codex-rs/tui/src/tooltips.rs` to append `?app-landing-page=true` to the `chatgpt.com/codex` URL. This **maintenance** change ensures that users clicking these tooltips are correctly directed to the **intended app landing page variant**, providing a more consistent and accurate user experience. The scope is limited to the **Codex App's TUI navigation links**.

This commit **refines the dangerous command detection logic** within the `codex-rs/shell-command` module by **removing Git subcommands from the "dangerous" classification**. Previously, operations like `git push --force` were incorrectly flagged, blocking benign developer workflows. This **bug fix** ensures that only truly destructive shell operations, such as `rm` and `sudo`, are considered dangerous, thereby **unblocking common Git operations** and improving the developer experience. The `exec_policy` tests were also updated to reflect this change, now focusing on `rm -rf` as an example of a dangerous command.

This commit **updates the documentation** in `AGENTS.md` to establish a new **development policy** for agent contributions. It now explicitly requires that all **user-visible UI changes** must include corresponding `insta` snapshot coverage, with snapshots reviewed and accepted during the pull request process. This **documentation update** serves as a **process improvement**, aiming to enhance the quality, consistency, and reviewability of UI modifications. The change impacts the **development workflow** for UI-related features, ensuring better **UI stability** and preventing regressions.

This commit **improves the Bazel CI workflow** by introducing a **conditional fallback mechanism** for builds. Specifically, the `.github/workflows/bazel.yml` configuration now detects the presence of a `BUILDBUDDY_API_KEY` and will only utilize remote BuildBuddy services if the key is available. For **forked pull requests** that lack access to this secret, the CI will **gracefully fall back to local Bazel execution** by clearing remote cache/executor/BES endpoints, ensuring builds can complete without requiring sensitive credentials. This **maintenance** change prevents CI failures for external contributors and enhances the robustness of the **CI pipeline**.

This commit **improves the user experience** of the **TUI chat composer's history navigation**. It **fixes** an issue where the cursor was not consistently placed at the end of the line after recalling a history entry, now ensuring it is positioned there by modifying `apply_history_entry`. Additionally, the commit **enhances history navigation** by allowing users to continue browsing history even when the cursor is at the start or end of the recalled text, achieved by updating `should_handle_navigation`. This **bug fix and enhancement** includes **new regression tests** to prevent future regressions and **updates the documentation** in `docs/tui-chat-composer.md` to clearly define the history cursor contract.

This commit **fixes test flakiness** in the `codex-rs/app-server` and `codex-rs/mcp-server` test suites by ensuring child processes are deterministically cleaned up. It introduces a `Drop` implementation to the `McpProcess` test helper, which now combines `Tokio::kill_on_drop(true)` with bounded `try_wait()` polling to reliably terminate and reap spawned servers. This **test maintenance** effort prevents `cargo nextest` from intermittently reporting false positive `LEAK` detections when test servers outlive teardown. By addressing these non-deterministic child-process leaks, the change significantly improves **CI stability** and test reliability for the **MCP harnesses**.

This commit performs **maintenance** to **deflake** the `test_no_new_privs_is_enabled` test within the **`codex-linux-sandbox`** module. It addresses intermittent CI failures, specifically `Sandbox(Timeout)` errors, which occurred because the sandboxed `grep '^NoNewPrivs:' /proc/self/status` command in this test often ran too close to its short timeout budget. The change updates only this particular test in `codex-rs/linux-sandbox/tests/suite/landlock.rs` to utilize `LONG_TIMEOUT_MS`, thereby eliminating the near-threshold timeout behavior. This ensures more reliable and stable CI results for the `landlock` suite without impacting the timeout settings of other tests.

This commit introduces a **bug fix** for the **TUI's chat composer**, specifically addressing an issue in **steer mode** where the `Tab` key failed to submit input when no task was actively running. Previously, this could lead to user input being dropped; now, `Tab` will immediately submit the message in such scenarios, ensuring input is not lost. The change involves modifying the `handle_key_event` function, adding **regression tests**, and updating both **tooltips** and the **main documentation** for `tui-chat-composer.md` to accurately reflect this improved behavior.

This commit **fixes** a UI stability issue in the **TUI's bottom pane** by preventing vertical jitter caused by the **unified execution summary**. Previously, the summary would dynamically add or remove a dedicated footer row, leading to visual flicker; now, it is **inlined** into the existing **status indicator widget** when the status is visible, ensuring a stable pane height. This **bug fix** involves **refactoring** the `BottomPane` and `UnifiedExecFooter` modules to provide a canonical summary text and introducing a new `update_inline_message` capability in `StatusIndicatorWidget`. The change significantly improves the **user experience** by maintaining a consistent layout during background process updates.

This commit introduces a **websocket preconnection mechanism** within the **`core`** module to significantly **reduce latency** for the first user turn. It enables the system to perform the websocket handshake during session startup, making a warmed connection available for immediate use by the `ModelClientSession`. This **new capability** also involves substantial **refactoring** of the connection logic in `client.rs`, deduping shared setup paths and improving overall maintainability of the **websocket connection management**. The change enhances the user experience by accelerating initial interactions without altering turn semantics or prompt sending during startup.

This commit **fixes a UI bug** in the **TUI's `ChatWidget`** where the status indicator (shimmer/spinner) would disappear prematurely after streaming a preamble, making the turn appear finished even when still active. It modifies `run_commit_tick_with_scope` to explicitly **restore the status indicator** when streaming output becomes idle but the underlying task is still running. This ensures **consistent liveness feedback** for users during active turns, preventing confusion during gaps in streamed output. The **bug fix** improves the user experience by maintaining visual cues that a task is still in progress, and **new tests and snapshots** were added to prevent regression.

This commit introduces a **new capability** by adding a **configurable `log_dir` option** to the **`codex-core` configuration system**, allowing users to specify a custom directory for log files. This primarily affects **logging output** and **CLI configuration overrides**, enabling redirection of `codex-tui.log` for one-off runs via `-c`. Additionally, it **enhances CLI flexibility** by resolving relative paths in configuration overrides against the current working directory. The default `log_dir` is `$CODEX_HOME/log`, and relevant documentation has been updated.