@leo000001/codex-mcp 2.0.0 → 2.0.2

package/CHANGELOG.md

@@ -25,7 +25,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Documentation aligned with implementation details for event eviction and e2e guidance
 - Tool input defaults are now defined in schema (`cursor`, `maxEvents`, `includeSensitive`, `advanced.approvalTimeoutMs`) and client-facing text avoids duplicated default descriptions
 - `codex_session` adds `clean_background_terminals` action to call `thread/background_terminals/clean`
-- Approval action payloads now expose `approvalId` and `networkApprovalContext` when provided by app-server
+- Approval action payloads now expose `approvalId` when provided by app-server
+- Documentation was de-duplicated by splitting responsibilities between `AGENTS.md` (execution handbook) and `docs/DESIGN.md` (single source upgrade playbook), and a one-shot schema refresh runbook/record was added (`2026-02-21`, no schema diff)
+- `src/app-server/protocol.ts` is now aligned to current v2 schema coverage for thread/turn params (`dynamicTools`, `persistExtendedHistory`, `collaborationMode`, richer `SandboxPolicy`, strict `UserInput` union, `turn/steer` params)
+- `codex_check` input validation is now action-aware at schema level (`poll` vs `respond_permission` vs `respond_user_input`), including conditional `execpolicy_amendment` rules and forbidden-field checks
+- Auth refresh request handling now uses explicit unsupported semantics (`-32000`) instead of `-32601` for `account/chatgptAuthTokens/refresh`
+- Compatibility policy is now explicitly strict: removed non-essential alias compatibility (`approval_id`, `network_approval_context`, `questionId`) and documented a single necessary-compatibility whitelist (v1/v2 thread/turn id extraction)
+- Command approval context is now surfaced directly in `actions[]` / `approval_request` payloads (`commandActions`, `proposedExecpolicyAmendment`) for richer client-side approval UX
+- `turn/started` and `turn/completed` notification handling now only uses canonical `turn.id` shape (plus runtime `activeTurnId` fallback), and corresponding v1 top-level `turnId` compatibility tests were removed
+- `compat-report` now correctly advertises `respondApprovalAlias: false` to match strict no-alias behavior
+- Upgrade-policy docs were further de-duplicated: `docs/DESIGN.md` remains the single detailed compatibility source, and `AGENTS.md` now stays as a concise execution gate
 
 ## [0.1.0] - 2026-02-15
 

package/README.md

@@ -220,7 +220,7 @@ Query a running session for events, respond to approval requests, or answer user
 | `decision`            | string   | For respond_permission            | For command approvals: `"accept"`, `"acceptForSession"`, `"acceptWithExecpolicyAmendment"`, `"decline"`, `"cancel"`; for file changes: `"accept"`, `"acceptForSession"`, `"decline"`, `"cancel"` |
 | `execpolicy_amendment` | string[] | For acceptWithExecpolicyAmendment | Exec policy amendment list (required when `decision="acceptWithExecpolicyAmendment"`)                                                                                                            |
 | `denyMessage`         | string   | No                                | Internal note on deny (not sent to app-server)                                                                                                                                                   |
-| `answers`             | object   | For respond_user_input            | For `respond_user_input`: `questionId -> { answers: string[] }`                                                                                                                                  |
+| `answers`             | object   | For respond_user_input            | For `respond_user_input`: `question-id -> { answers: string[] }`                                                                                                                                  |
 
 **Returns (poll and respond_*):** `{ sessionId, status, pollInterval?, cursorResetTo?, events, nextCursor, actions?, result? }`
 
@@ -267,10 +267,13 @@ When the agent requests approval or user input, `poll` includes an `actions[]` l
 
 - `respond_permission`: `decision` is one of `accept`, `acceptForSession`, `decline`, `cancel`.
   - For command approvals, `acceptWithExecpolicyAmendment` is supported and requires `execpolicy_amendment`.
-- `respond_user_input`: send `answers` keyed by `questionId`.
+- `respond_user_input`: send `answers` keyed by the question `id`.
+- For command approvals, `actions[]` may include `commandActions` and `proposedExecpolicyAmendment` for richer review UI.
 
 Pending approvals auto-decline after `advanced.approvalTimeoutMs`.
 
+Auth callback note: if app-server sends `account/chatgptAuthTokens/refresh`, codex-mcp returns JSON-RPC error `-32000` because external ChatGPT token refresh is out of scope for this server.
+
 ## Session Lifecycle & Cleanup
 
 Sessions auto-clean up in the background:

package/dist/index.js

@@ -233,7 +233,7 @@ var DEFAULT_TERMINAL_CLEANUP_MS = 5 * 60 * 1e3;
 var CLEANUP_INTERVAL_MS = 6e4;
 
 // src/app-server/client.ts
-var CLIENT_VERSION = true ? "2.0.0" : "0.0.0-dev";
+var CLIENT_VERSION = true ? "2.0.2" : "0.0.0-dev";
 var DEFAULT_REQUEST_TIMEOUT = 3e4;
 var STARTUP_REQUEST_TIMEOUT = 9e4;
 var MAX_WRITE_QUEUE_BYTES = 5 * 1024 * 1024;
@@ -682,6 +682,9 @@ var COALESCED_PROGRESS_DELTA_METHODS = /* @__PURE__ */ new Set([
   Methods.REASONING_SUMMARY_DELTA
 ]);
 var MAX_COALESCED_DELTA_CHARS = 16384;
+var AUTH_REFRESH_UNSUPPORTED_CODE = -32e3;
+var AUTH_REFRESH_UNSUPPORTED_MESSAGE = "account/chatgptAuthTokens/refresh unsupported: codex-mcp does not manage external ChatGPT auth tokens";
+var AUTH_REFRESH_TERMINAL_MESSAGE = "account/chatgptAuthTokens/refresh unsupported: session is terminal";
 var NOISE_FILTER_ENABLED = process.env.CODEX_MCP_DISABLE_NOISE_FILTER !== "1";
 var WINDOWS_TERMINAL_INTEGRATION_PREFIX = `${String.fromCharCode(27)}]633;`;
 var SHELL_NOISE_LINE_PATTERNS = [
@@ -1114,7 +1117,8 @@ var SessionManager = class {
             itemId: req.itemId,
             reason: req.reason,
             approvalId: req.approvalId,
-            networkApprovalContext: req.networkApprovalContext,
+            commandActions: req.commandActions,
+            proposedExecpolicyAmendment: req.proposedExecpolicyAmendment,
             createdAt: req.createdAt
           });
         }
@@ -1156,6 +1160,9 @@ var SessionManager = class {
             while (result.actions.length > 1 && payloadByteSize(result) > normalizedMaxBytes) {
               result.actions.pop();
             }
+            if (payloadByteSize(result) > normalizedMaxBytes) {
+              result.actions = compactActionsToMinimum(result.actions);
+            }
             truncatedFields.push("actions");
           }
           if (typeof result.actions !== "undefined" && payloadByteSize(result) > normalizedMaxBytes) {
@@ -1256,7 +1263,6 @@ var SessionManager = class {
         requestId,
         kind: req.kind,
         approvalId: req.approvalId,
-        networkApprovalContext: req.networkApprovalContext,
         decision,
         denyMessage: extra?.denyMessage
       },
@@ -1291,7 +1297,6 @@ var SessionManager = class {
         requestId,
         kind: "user_input",
         approvalId: req.approvalId,
-        networkApprovalContext: req.networkApprovalContext,
         answers
       },
       true
@@ -1369,7 +1374,7 @@ var SessionManager = class {
           {
             const turnObj = p.turn;
             const status = normalizeOptionalString(turnObj?.status);
-            session.activeTurnId = normalizeOptionalString(turnObj?.id) ?? (typeof p.turnId === "string" ? p.turnId : void 0);
+            session.activeTurnId = normalizeOptionalString(turnObj?.id);
             pushEvent(session.eventBuffer, "progress", {
               method,
               ...p,
@@ -1381,7 +1386,7 @@ var SessionManager = class {
         case Methods.TURN_COMPLETED: {
           if (session.status === "cancelled") break;
           const turnObj = p.turn;
-          const completedTurnId = (typeof p.turnId === "string" ? p.turnId : void 0) ?? turnObj?.id ?? session.activeTurnId ?? "";
+          const completedTurnId = turnObj?.id ?? session.activeTurnId ?? "";
           session.status = "idle";
           session.activeTurnId = void 0;
           session.lastResult = {
@@ -1491,10 +1496,11 @@ var SessionManager = class {
           const requestId = `req_${randomUUID().slice(0, 8)}`;
           const approvalParams = params;
           const reason = normalizeOptionalString(approvalParams.reason);
-          const approvalId = normalizeOptionalString(
-            approvalParams.approvalId ?? approvalParams.approval_id
+          const approvalId = normalizeOptionalString(approvalParams.approvalId);
+          const commandActions = Array.isArray(approvalParams.commandActions) ? approvalParams.commandActions : null;
+          const proposedExecpolicyAmendment = normalizeStringArrayOrNull(
+            approvalParams.proposedExecpolicyAmendment
           );
-          const networkApprovalContext = approvalParams.networkApprovalContext ?? approvalParams.network_approval_context;
           const pending = {
             requestId,
             kind: "command",
@@ -1504,7 +1510,8 @@ var SessionManager = class {
             turnId: normalizeOptionalString(approvalParams.turnId) ?? "",
             reason,
             approvalId,
-            networkApprovalContext,
+            commandActions,
+            proposedExecpolicyAmendment,
             createdAt: (/* @__PURE__ */ new Date()).toISOString(),
             resolved: false,
             respond: (result) => client.respondToServer(id, result)
@@ -1551,7 +1558,8 @@ var SessionManager = class {
               command: approvalParams.command,
               cwd: approvalParams.cwd,
               reason,
-              networkApprovalContext
+              commandActions,
+              proposedExecpolicyAmendment
             },
             true
           );
@@ -1675,7 +1683,11 @@ var SessionManager = class {
           });
           break;
         case Methods.AUTH_TOKEN_REFRESH:
-          client.respondErrorToServer(id, -32601, "Auth token refresh not supported by codex-mcp");
+          client.respondErrorToServer(
+            id,
+            AUTH_REFRESH_UNSUPPORTED_CODE,
+            AUTH_REFRESH_UNSUPPORTED_MESSAGE
+          );
           break;
         case Methods.LEGACY_PATCH_APPROVAL:
         case Methods.LEGACY_EXEC_APPROVAL:
@@ -1824,7 +1836,7 @@ function respondToTerminalSessionRequest(client, id, method) {
       });
       break;
     case Methods.AUTH_TOKEN_REFRESH:
-      client.respondErrorToServer(id, -32601, "Session is terminal");
+      client.respondErrorToServer(id, AUTH_REFRESH_UNSUPPORTED_CODE, AUTH_REFRESH_TERMINAL_MESSAGE);
       break;
     case Methods.LEGACY_PATCH_APPROVAL:
     case Methods.LEGACY_EXEC_APPROVAL:
@@ -1838,6 +1850,11 @@ function respondToTerminalSessionRequest(client, id, method) {
 function normalizeOptionalString(value) {
   return typeof value === "string" ? value : void 0;
 }
+function normalizeStringArrayOrNull(value) {
+  if (!Array.isArray(value)) return null;
+  const normalized = value.filter((entry) => typeof entry === "string");
+  return normalized;
+}
 function sendPendingRequestResponseOrThrow(req, response, sessionId, requestId) {
   if (!req.respond) {
     throw new Error(
@@ -1859,7 +1876,9 @@ function compactActionsForBudget(actions) {
     kind: action.kind,
     params: compactActionParamsForBudget(action),
     itemId: action.itemId,
-    createdAt: action.createdAt
+    createdAt: action.createdAt,
+    commandActions: action.commandActions,
+    proposedExecpolicyAmendment: action.proposedExecpolicyAmendment
   }));
 }
 function compactActionParamsForBudget(action) {
@@ -1872,12 +1891,30 @@ function compactActionParamsForBudget(action) {
   }
   const compactQuestions = [];
   for (const entry of rawQuestions) {
-    if (isRecord(entry) && typeof entry.questionId === "string") {
-      compactQuestions.push({ questionId: entry.questionId });
+    if (!isRecord(entry)) continue;
+    const id = typeof entry.id === "string" ? entry.id : void 0;
+    if (id) {
+      compactQuestions.push({ id });
     }
   }
   return compactQuestions.length > 0 ? { questions: compactQuestions } : void 0;
 }
+function compactActionsToMinimum(actions) {
+  if (actions.length === 0) return actions;
+  const first = actions[0];
+  return [
+    {
+      type: first.type,
+      requestId: first.requestId,
+      kind: first.kind,
+      params: void 0,
+      itemId: first.itemId,
+      createdAt: first.createdAt,
+      commandActions: first.commandActions,
+      proposedExecpolicyAmendment: first.proposedExecpolicyAmendment
+    }
+  ];
+}
 function clampCursorToLatest(cursor, latestCursor) {
   return Math.max(0, Math.min(cursor, latestCursor));
 }
@@ -2235,7 +2272,13 @@ function executeCodexCheck(args, sessionManager) {
   const pollOptions = args.pollOptions;
   switch (args.action) {
     case "poll": {
-      const maxEvents = typeof args.maxEvents === "number" ? Math.max(POLL_MIN_MAX_EVENTS, args.maxEvents) : POLL_DEFAULT_MAX_EVENTS;
+      if (args.requestId !== void 0 || args.decision !== void 0 || args.execpolicy_amendment !== void 0 || args.denyMessage !== void 0 || args.answers !== void 0) {
+        return {
+          error: `Error [${"INVALID_ARGUMENT" /* INVALID_ARGUMENT */}]: requestId/decision/execpolicy_amendment/denyMessage/answers are only valid for respond_* actions`,
+          isError: true
+        };
+      }
+      const maxEvents = typeof args.maxEvents === "number" ? Math.max(POLL_MIN_MAX_EVENTS, Math.floor(args.maxEvents)) : POLL_DEFAULT_MAX_EVENTS;
       return sessionManager.pollEvents(args.sessionId, args.cursor, maxEvents, {
         responseMode,
         pollOptions
@@ -2248,6 +2291,31 @@ function executeCodexCheck(args, sessionManager) {
           isError: true
         };
       }
+      if (args.answers !== void 0) {
+        return {
+          error: `Error [${"INVALID_ARGUMENT" /* INVALID_ARGUMENT */}]: answers is only valid for respond_user_input`,
+          isError: true
+        };
+      }
+      if (args.decision === "acceptWithExecpolicyAmendment") {
+        if (!args.execpolicy_amendment || args.execpolicy_amendment.length === 0) {
+          return {
+            error: `Error [${"INVALID_ARGUMENT" /* INVALID_ARGUMENT */}]: execpolicy_amendment required for acceptWithExecpolicyAmendment`,
+            isError: true
+          };
+        }
+      } else if (args.execpolicy_amendment !== void 0) {
+        return {
+          error: `Error [${"INVALID_ARGUMENT" /* INVALID_ARGUMENT */}]: execpolicy_amendment is only valid with decision='acceptWithExecpolicyAmendment'`,
+          isError: true
+        };
+      }
+      if (!ALL_DECISIONS.includes(args.decision)) {
+        return {
+          error: `Error [${"INVALID_ARGUMENT" /* INVALID_ARGUMENT */}]: Unknown decision '${args.decision}'`,
+          isError: true
+        };
+      }
       try {
         sessionManager.resolveApproval(args.sessionId, args.requestId, args.decision, {
           execpolicy_amendment: args.execpolicy_amendment,
@@ -2257,7 +2325,7 @@ function executeCodexCheck(args, sessionManager) {
         const message = err instanceof Error ? err.message : String(err);
         return { error: message, isError: true };
       }
-      const maxEvents = args.maxEvents ?? RESPOND_DEFAULT_MAX_EVENTS;
+      const maxEvents = typeof args.maxEvents === "number" ? Math.max(0, Math.floor(args.maxEvents)) : RESPOND_DEFAULT_MAX_EVENTS;
       return sessionManager.pollEventsMonotonic(args.sessionId, args.cursor, maxEvents, {
         responseMode,
         pollOptions
@@ -2270,13 +2338,19 @@ function executeCodexCheck(args, sessionManager) {
           isError: true
         };
       }
+      if (args.decision !== void 0 || args.execpolicy_amendment !== void 0 || args.denyMessage !== void 0) {
+        return {
+          error: `Error [${"INVALID_ARGUMENT" /* INVALID_ARGUMENT */}]: decision/execpolicy_amendment/denyMessage are only valid for respond_permission`,
+          isError: true
+        };
+      }
       try {
         sessionManager.resolveUserInput(args.sessionId, args.requestId, args.answers);
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
         return { error: message, isError: true };
       }
-      const maxEvents = args.maxEvents ?? RESPOND_DEFAULT_MAX_EVENTS;
+      const maxEvents = typeof args.maxEvents === "number" ? Math.max(0, Math.floor(args.maxEvents)) : RESPOND_DEFAULT_MAX_EVENTS;
       return sessionManager.pollEventsMonotonic(args.sessionId, args.cursor, maxEvents, {
         responseMode,
         pollOptions
@@ -2563,6 +2637,7 @@ function buildGotchasText() {
     `- Pending approvals/user-input auto-decline after \`approvalTimeoutMs\` (default ${DEFAULT_APPROVAL_TIMEOUT_MS} ms).`,
     "- `untrusted` behavior is enforced by Codex CLI backend and may auto-allow some low-risk commands.",
     "- Do not assume every read-only command will always require approval across CLI versions.",
+    `- **Timeout vs polling conflict**: The recommended polling interval for \`running\` status is >=120 seconds, but the default approval timeout is ${DEFAULT_APPROVAL_TIMEOUT_MS / 1e3} seconds. If a session transitions to \`waiting_approval\` between polls, the approval will auto-decline before the client can respond. Set \`advanced.approvalTimeoutMs\` to at least 300000 (5 minutes) when using \`untrusted\` or \`on-request\` policies.`,
     "",
     "## Event model",
     "",
@@ -2632,6 +2707,7 @@ function buildQuickstartText() {
     "",
     "- Use `pollInterval` as a minimum delay: `running` >=120000ms (and usually longer for big tasks).",
     "- `waiting_approval` is the exception: poll/answer around 1000ms to avoid timeout.",
+    `- When using \`untrusted\` or \`on-request\` policies, set \`advanced.approvalTimeoutMs\` to at least 300000 to prevent approvals from expiring between polling intervals.`,
     "",
     "3. If `actions[]` contains an approval request, respond:",
     "",
@@ -2703,7 +2779,7 @@ function buildCompatReport(deps, codexCliVersion) {
       schemaVersion: "1.0.0",
       features: {
         respondPermission: true,
-        respondApprovalAlias: true,
+        respondApprovalAlias: false,
         respondUserInput: true,
         sessionInterrupt: true,
         responseModeMinimal: true,
@@ -2859,7 +2935,7 @@ function registerResources(server, deps) {
 }
 
 // src/server.ts
-var SERVER_VERSION = true ? "2.0.0" : "0.0.0-dev";
+var SERVER_VERSION = true ? "2.0.2" : "0.0.0-dev";
 function formatErrorMessage(err) {
   const message = err instanceof Error ? err.message : String(err);
   const m = /^Error \[([A-Z_]+)\]:\s*(.*)$/.exec(message);
@@ -2910,6 +2986,119 @@ function createServer(serverCwd) {
     ),
     ...errorOutputShape
   };
+  const codexCheckPollOptionsSchema = z.object({
+    includeEvents: z.boolean().optional().describe("Default: true. Include events[] in response."),
+    includeActions: z.boolean().optional().describe("Default: true. Include actions[] in response."),
+    includeResult: z.boolean().optional().describe("Default: true. Include result in response."),
+    maxBytes: z.number().int().positive().optional().describe("Default: unlimited. Best-effort response payload cap in bytes.")
+  }).optional().describe("Optional poll shaping controls.");
+  const codexCheckInputSchema = z.object({
+    action: z.enum(CHECK_ACTIONS),
+    sessionId: z.string().describe("Target session ID"),
+    cursor: z.number().int().nonnegative().optional().describe("Event cursor (default: session last consumed cursor)."),
+    maxEvents: z.number().int().nonnegative().optional().describe(
+      `Max events. Default: poll=${POLL_DEFAULT_MAX_EVENTS} (min ${POLL_MIN_MAX_EVENTS}), respond_*=${RESPOND_DEFAULT_MAX_EVENTS}.`
+    ),
+    responseMode: z.enum(RESPONSE_MODES).optional().describe("Response mode. Default: minimal. Options: minimal/delta_compact/full."),
+    pollOptions: codexCheckPollOptionsSchema,
+    // respond_permission
+    requestId: z.string().optional().describe("Request ID from actions[]"),
+    decision: z.enum(ALL_DECISIONS).optional().describe(
+      "Approval decision for respond_permission. acceptWithExecpolicyAmendment requires execpolicy_amendment."
+    ),
+    execpolicy_amendment: z.array(z.string()).optional().describe("For acceptWithExecpolicyAmendment only"),
+    denyMessage: z.string().optional().describe("Deny reason (not sent to agent)"),
+    // respond_user_input
+    answers: z.record(
+      z.string(),
+      z.object({
+        answers: z.array(z.string())
+      })
+    ).optional().describe("question-id -> answers map (id from actions[] user_input request).")
+  }).superRefine((value, ctx) => {
+    const addIssue = (path4, message) => {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: [path4],
+        message
+      });
+    };
+    switch (value.action) {
+      case "poll": {
+        if (value.maxEvents !== void 0 && value.maxEvents < POLL_MIN_MAX_EVENTS) {
+          addIssue(
+            "maxEvents",
+            `poll requires maxEvents >= ${POLL_MIN_MAX_EVENTS} to avoid no-op loops.`
+          );
+        }
+        if (value.requestId !== void 0) {
+          addIssue("requestId", "requestId is only allowed for respond_* actions.");
+        }
+        if (value.decision !== void 0) {
+          addIssue("decision", "decision is only allowed for action='respond_permission'.");
+        }
+        if (value.execpolicy_amendment !== void 0) {
+          addIssue(
+            "execpolicy_amendment",
+            "execpolicy_amendment is only allowed for action='respond_permission'."
+          );
+        }
+        if (value.denyMessage !== void 0) {
+          addIssue("denyMessage", "denyMessage is only allowed for action='respond_permission'.");
+        }
+        if (value.answers !== void 0) {
+          addIssue("answers", "answers is only allowed for action='respond_user_input'.");
+        }
+        break;
+      }
+      case "respond_permission": {
+        if (!value.requestId) {
+          addIssue("requestId", "requestId is required for action='respond_permission'.");
+        }
+        if (!value.decision) {
+          addIssue("decision", "decision is required for action='respond_permission'.");
+        }
+        if (value.answers !== void 0) {
+          addIssue("answers", "answers is only allowed for action='respond_user_input'.");
+        }
+        const needsExecpolicy = value.decision === "acceptWithExecpolicyAmendment";
+        if (needsExecpolicy && (!value.execpolicy_amendment || value.execpolicy_amendment.length === 0)) {
+          addIssue(
+            "execpolicy_amendment",
+            "execpolicy_amendment is required and must be non-empty when decision='acceptWithExecpolicyAmendment'."
+          );
+        }
+        if (!needsExecpolicy && value.execpolicy_amendment !== void 0) {
+          addIssue(
+            "execpolicy_amendment",
+            "execpolicy_amendment is only allowed when decision='acceptWithExecpolicyAmendment'."
+          );
+        }
+        break;
+      }
+      case "respond_user_input": {
+        if (!value.requestId) {
+          addIssue("requestId", "requestId is required for action='respond_user_input'.");
+        }
+        if (!value.answers) {
+          addIssue("answers", "answers is required for action='respond_user_input'.");
+        }
+        if (value.decision !== void 0) {
+          addIssue("decision", "decision is only allowed for action='respond_permission'.");
+        }
+        if (value.execpolicy_amendment !== void 0) {
+          addIssue(
+            "execpolicy_amendment",
+            "execpolicy_amendment is only allowed for action='respond_permission'."
+          );
+        }
+        if (value.denyMessage !== void 0) {
+          addIssue("denyMessage", "denyMessage is only allowed for action='respond_permission'.");
+        }
+        break;
+      }
+    }
+  });
   server.registerTool(
     "codex",
     {
@@ -3093,35 +3282,7 @@ respond_user_input: user-input answers. Default maxEvents=${RESPOND_DEFAULT_MAX_
 
 events[].type is coarse-grained; details are in events[].data.method.
 cursor omitted => use session last cursor. cursorResetTo => reset and continue.`,
-      inputSchema: {
-        action: z.enum(CHECK_ACTIONS),
-        sessionId: z.string().describe("Target session ID"),
-        cursor: z.number().int().nonnegative().optional().describe("Event cursor (default: session last consumed cursor)."),
-        maxEvents: z.number().int().nonnegative().optional().describe(
-          `Max events. Default: poll=${POLL_DEFAULT_MAX_EVENTS} (min ${POLL_MIN_MAX_EVENTS}), respond_*=${RESPOND_DEFAULT_MAX_EVENTS}.`
-        ),
-        responseMode: z.enum(RESPONSE_MODES).optional().describe("Response mode. Default: minimal. Options: minimal/delta_compact/full."),
-        pollOptions: z.object({
-          includeEvents: z.boolean().optional().describe("Default: true. Include events[] in response."),
-          includeActions: z.boolean().optional().describe("Default: true. Include actions[] in response."),
-          includeResult: z.boolean().optional().describe("Default: true. Include result in response."),
-          maxBytes: z.number().int().positive().optional().describe("Default: unlimited. Best-effort response payload cap in bytes.")
-        }).optional().describe("Optional poll shaping controls."),
-        // respond_permission
-        requestId: z.string().optional().describe("Request ID from actions[]"),
-        decision: z.enum(ALL_DECISIONS).optional().describe(
-          "Approval decision for respond_permission. acceptWithExecpolicyAmendment requires execpolicy_amendment."
-        ),
-        execpolicy_amendment: z.array(z.string()).optional().describe("For acceptWithExecpolicyAmendment only"),
-        denyMessage: z.string().optional().describe("Deny reason (not sent to agent)"),
-        // respond_user_input
-        answers: z.record(
-          z.string(),
-          z.object({
-            answers: z.array(z.string())
-          })
-        ).optional().describe("questionId -> answers map (questionId from actions[] user_input request).")
-      },
+      inputSchema: codexCheckInputSchema,
       outputSchema: {
         sessionId: z.string().optional(),
         status: z.enum(["running", "idle", "waiting_approval", "error", "cancelled"]).optional(),
@@ -3149,10 +3310,13 @@ cursor omitted => use session last cursor. cursorResetTo => reset and continue.`
           z.object({
             type: z.enum(["approval", "user_input"]),
             requestId: z.string(),
-            kind: z.string(),
+            kind: z.enum(["command", "fileChange", "user_input"]),
             params: z.unknown(),
             itemId: z.string(),
             reason: z.string().optional(),
+            approvalId: z.string().optional(),
+            commandActions: z.array(z.unknown()).nullable().optional(),
+            proposedExecpolicyAmendment: z.array(z.string()).nullable().optional(),
             createdAt: z.string()
           })
         ).optional(),