Matthew Zeng

This commit **increases the startup timeout** for the **Multi-Cloud Platform (MCP) connection manager** from 10 to 30 seconds within the `codex-rs/core` module. This **maintenance fix** addresses a common issue where local MCP instances frequently timed out during startup due to the previously short timeout period. By extending the timeout, the change significantly **improves the reliability of local MCP deployments**, preventing unnecessary startup failures and enhancing the developer experience. A corresponding test in `mcp_connection_manager_tests.rs` was also updated to reflect this new timeout value.

This commit implements a **feature enhancement** to the **MCP tool approval logic**, allowing **read-only tools** to bypass guardian approval checks under most circumstances. The `maybe_request_mcp_tool_approval` function within the `codex-rs/core` module is updated to skip approval for read-only tools when the system is operating in "Auto" or "Approve" guardian modes. Crucially, read-only tools will still proceed to approval when in "Prompt" mode, ensuring user oversight for critical interactions. This **behavior modification** streamlines the execution of non-modifying operations by reducing unnecessary approval prompts, with new tests confirming the updated logic across different guardian configurations.

This commit **refines the tool suggestion prompts** within the `codex-rs/core` module to provide more precise guidance. Specifically, it **distinguishes between missing connectors and discoverable plugins**, clarifying their respective triggering conditions for users. The prompt template in `codex-rs/core/templates/search_tool/tool_suggest_description.md` was updated, and corresponding assertions in `codex-rs/core/src/tools/spec_tests.rs` were adjusted to match these refined descriptions. This **enhancement** improves the clarity and accuracy of tool suggestions, leading to a better user experience when interacting with the system's capabilities.

This commit performs a **refactoring** and **maintenance** update within the **`codex-rs/core`** module to **remove support for legacy tools** in **MCP server configurations**. Specifically, it eliminates the `legacy_tools` field and its deserialization logic from `RawMcpServerConfig` and `McpServerConfig`, simplifying the configuration parsing. The `config.schema.json` is updated to disallow additional properties, tightening validation, while new tests confirm that unknown fields are now gracefully ignored during deserialization, improving the robustness of configuration handling.

This commit performs a **maintenance update** to the **plugin discovery mechanism**, specifically modifying the list of **suggestable plugins**. It updates the featured plugins by **removing certain Google-related integrations** and **adding Linear and Figma** to the discoverable options. This change, located in `codex-rs/core/src/plugins/discoverable.rs`, directly impacts the **user experience for plugin discovery**, presenting a revised set of recommended integrations.

This commit **enables several core features by default** within the `codex-rs/features` module. Specifically, the `Apps`, `ToolSuggest`, `Plugins`, and `ToolCallMcpElicitation` features now have their `default_enabled` flag set to `true` in `codex-rs/features/src/lib.rs`. This **feature enablement** ensures these capabilities are active out-of-the-box, significantly impacting the default user experience and functionality. Correspondingly, **test assertions and function names** in `codex-rs/features/src/tests.rs` were updated to reflect the new default-enabled state of `ToolSuggest` and `ToolCallMcpElicitation`.

This commit introduces a **new capability** to enhance **custom MCP tool elicitation** by allowing users to persist approval decisions, effectively implementing a "don't ask again" feature for specific tools. It significantly updates the **configuration system** to store tool-specific approval overrides, ensuring that the Automated Response Control (ARC) runs in an "always allow" mode for approved custom tools rather than an unrestricted "yolo" mode. This involves modifications to the `McpServerConfig` structure, new types for tool approval settings, and changes to the **MCP tool call handling logic** in `mcp_tool_call.rs` to manage and apply these persistent approvals. The **app server** now refreshes its app list when experimental features are enabled, and **documentation** has been updated to reflect these new configuration options, ultimately improving user control and streamlining the custom tool workflow.

This commit **decouples the `tool_suggest` feature from `tool_search`**, allowing it to operate independently within the **`codex-rs/core`** module. The work involves **refactoring** the `tool_suggest` handler, specifically `verify_tool_suggestion_completed`, to use new helper functions for independent connector refreshing, and updating `ToolsConfig` to permit `tool_suggest` without `tool_search`. This **architectural enhancement** provides greater flexibility in feature deployment, though `ToolSuggest` and several other features are now **default disabled**, requiring explicit activation. Extensive **new integration tests** confirm the independent functionality and correct feature flag behavior, while documentation is updated to reflect this change.

This commit introduces a **new experimental feature flag**, `ToolSearch`, to provide granular control over the **search tool** and **tool suggestion** functionality within the `codex-rs` application. It integrates this flag into the **configuration schema** and `config_api.rs`, ensuring that the inclusion logic for the search tool in `codex-rs/core/src/tools/spec.rs` now respects the `ToolSearch` enablement. Extensive **test updates** across `app-server`, `core`, and `features` modules validate the flag's behavior, including its default disabled state, thereby allowing for controlled rollout of these capabilities.

This commit **enables** the **`ToolSuggest` and `ToolCallMcpElicitation` features** within the `codex-rs/features` module by marking them as stable and turning them on by default. This **feature enablement** ensures these capabilities are active for all users without requiring explicit configuration. Corresponding **test updates** in `codex-rs/features/src/tests.rs` verify this new default-enabled status, while a test in `codex-rs/core/src/tools/spec_tests.rs` is adjusted to explicitly disable `ToolSuggest` where necessary for specific test scenarios.

This commit **promotes the 'Apps' and 'Plugins' features** to stable status within the `codex-rs` project, **enabling them by default** by updating their `FeatureSpec` definitions in `codex-rs/features/src/lib.rs`. This **configuration change** simplifies setup by making these core functionalities readily available without explicit activation. To align with this new default, **test cases** in `codex-rs/core` are updated to explicitly manage plugin and app states for specific testing scenarios, ensuring continued correctness.

This commit **introduces a new capability** to **dynamically control experimental feature flags** within the **app-server**. It implements a new `experimentalFeature/enablement/set` client request, allowing **global runtime modification** of features, which was previously limited to thread-level overrides. This required extensive updates to the **app-server protocol schemas** (JSON, TypeScript, and Rust definitions for `ExperimentalFeatureEnablementSetParams` and `ExperimentalFeatureEnablementSetResponse`) and core **app-server logic** in `codex_message_processor.rs` and `config_api.rs`. The change enables the **app-server** to manage and apply these global overrides during configuration derivation, significantly enhancing flexibility for managing and testing experimental features.

This commit introduces **additional gating logic** for the **apps section rendering** and the **tool suggest feature**, representing a **new capability**. The `render_apps_section` function in `codex-rs/core/src/apps/render.rs` now conditionally displays the apps section only if accessible and enabled applications are present, supported by updates to `Session::handle_turn` and a new `list_accessible_and_enabled_connectors_from_manager` utility. Furthermore, the `tool_suggest` feature, configured via `ToolsConfig::new`, now explicitly requires both `Feature::Apps` and `Feature::Plugins` to be active. This **enhancement** ensures that UI elements and features are only presented when relevant and properly configured, improving system efficiency and user experience.

This commit **refactors** the **app tools loading mechanism** within the **TUI's `ChatWidget`** to significantly improve performance and efficiency. It eliminates redundant `tools/list` API calls by directly referencing the **core MCP manager's tool listing**, reducing the number of calls from four to just one. This **optimization** streamlines the process of fetching available application tools, making the TUI more responsive. Additionally, a new `pending_mcp_output_requests` field is introduced in `chatwidget.rs` to better manage asynchronous MCP output, with corresponding test updates in `chatwidget/tests.rs`.

This commit delivers a **bug fix** for the **plugin system's context management** within the `codex-rs/core` module. It **removes logic** that dynamically enabled connectors based on explicit plugin mentions, ensuring the system now **relies solely on explicitly enabled connectors**. This change, primarily affecting the `run_turn` function, prevents unintended connector activation and makes connector behavior more predictable. A new test case has been added to `codex_tests.rs` to validate that plugin mentions are correctly skipped when filtering connectors for input.

This commit introduces a **feature enhancement** to the **ARC monitoring system** by adding a `protection_client_callsite` parameter, enabling more detailed callsite information to be included in monitoring requests. It **refactors the MCP tool approval logic** within `codex-rs/core` to dynamically determine and pass this callsite information, particularly for **auto-approved MCP tool calls** and "yolo mode" operations. This integration ensures that even rapidly approved or less-restricted tool executions are properly monitored with rich contextual data. The change significantly improves **security auditing and operational visibility** by providing granular tracking of how and where MCP tools are invoked.

This commit introduces a **new capability** to the **plugin installation process**, ensuring that Message Control Processors (MCPs) bundled within plugins are automatically recognized and configured. It integrates the loading of **plugin-defined MCP servers** and the initiation of their **OAuth login flows** directly into the `plugin_install` operation. This **enhancement** primarily affects the **`plugins` subsystem** and the `codex_message_processor`, streamlining the setup of plugin-dependent services by automatically handling MCP registration and authentication. A new module `plugin_mcp_oauth.rs` manages these OAuth logins, and a new test case in `plugin_install.rs` validates this behavior, ensuring that bundled MCPs are correctly available post-installation.

This commit introduces a **new capability** to support a **tool suggestion allowlist** within the **configuration** system. It adds new data structures like `ToolSuggestConfig` and schema definitions, integrating a `tool_suggest` field into the main configuration to allow users to explicitly control which **plugins** and **connectors** are discoverable for tool suggestions. Specifically, the `connectors` module's `tool_suggest_connector_ids` and the `plugins` module's `list_tool_suggest_discoverable_plugins` are updated to respect this new configuration. This enhancement provides greater control over the system's behavior, backed by comprehensive **unit tests** across the affected modules.

This commit introduces a **new capability** for **plugin installation elicitation**, enabling the system to intelligently suggest and guide users to install plugins that provide needed connectors or are on an approved allowlist, even if not currently installed. It significantly enhances the **tool and connector discovery** mechanisms within the `codex-rs/core` module, particularly in `connectors.rs`, `plugins/discoverable.rs`, and `tools/handlers/tool_suggest.rs`. The changes involve refactoring the listing of discoverable connectors to integrate plugin information, adding client-specific filtering for tools, and updating the tool suggestion handler to build and verify these elicitation requests. This enables a more proactive user experience by prompting for installations and includes necessary updates to the **TUI and TUI app server** to correctly parse and render these new tool suggestion requests with `install_url` information.

This commit **fixes a bug** in the **`core` module's tool approval elicitation logic** by ensuring that original `tool_params` keys are preserved, rather than being replaced by display names. A new `display_name` field is introduced to `RenderedMcpToolApprovalParam` and `McpToolApprovalDisplayParam` to facilitate this, allowing for both internal key preservation and user-friendly presentation. The `render_tool_params` and `build_mcp_tool_approval_display_params` functions in `core` are updated to manage this new field. Consequently, the **Terminal User Interface (TUI)**, specifically the `mcp_server_elicitation` component, now correctly utilizes `display_name` when presenting tool approval parameters to the user. This **bug fix** enhances the reliability and clarity of **tool approval processes**, preventing misinterpretations due to altered parameter keys.