llm-cli-gateway 1.17.1 → 1.17.2

package/dist/index.js

@@ -5,7 +5,7 @@ import { randomUUID } from "crypto";
 import { existsSync, readFileSync, readdirSync, renameSync, unlinkSync } from "fs";
 import { dirname, join } from "path";
 import { fileURLToPath } from "url";
-import { z } from "zod";
+import { z } from "zod/v3";
 import { executeCli, killAllProcessGroups } from "./executor.js";
 import { parseStreamJson } from "./stream-json-parser.js";
 import { parseCodexJsonStream } from "./codex-json-parser.js";
@@ -28,7 +28,7 @@ import { buildClaudeMcpConfig, CLAUDE_MCP_SERVER_NAMES, } from "./claude-mcp-con
 import { resolveGrokSessionArgs, resolveMistralSessionArgs, resolveCodexSessionArgs, sanitizeCliArgValues, prepareMistralRequest as buildMistralCliInvocation, MISTRAL_AGENT_MODES, GATEWAY_SESSION_PREFIX, resolveClaudePermissionFlags, resolveCodexSandboxFlags, CLAUDE_PERMISSION_MODES, GEMINI_APPROVAL_MODES, CODEX_SANDBOX_MODES, CODEX_ASK_FOR_APPROVAL_MODES, CLAUDE_EFFORT_LEVELS, prepareClaudeHighImpactFlags, validateClaudeAgentsMap, prepareCodexHighImpactFlags, prepareCodexForkRequest, CODEX_CONFIG_OVERRIDES_SCHEMA, prepareGeminiHighImpactFlags, prependGeminiAttachments, resolveGeminiSessionPlan, GEMINI_HIGH_IMPACT_PARAMS_SCHEMA, } from "./request-helpers.js";
 import { createFlightRecorder } from "./flight-recorder.js";
 import { resolvePromptInput, PromptPartsSchema, assembleClaudeCacheBlocks, } from "./prompt-parts.js";
-import { computeSessionCacheStats, computeTtlRemaining } from "./cache-stats.js";
+import { computeSessionCacheStats, computeTtlRemaining, readPersistedRequest, PERSISTED_REQUEST_DEFAULT_MAX_CHARS, } from "./cache-stats.js";
 import { getCliVersions, runCliUpgrade } from "./cli-updater.js";
 import { startHttpGateway } from "./http-transport.js";
 import { printDoctorJson } from "./doctor.js";
@@ -161,12 +161,13 @@ Tools: claude_request, codex_request, gemini_request, grok_request, mistral_requ
 Validation: validate_with_models, second_opinion, compare_answers, red_team_review, consensus_check, ask_model, synthesize_validation
 Jobs: llm_job_status, llm_job_result, llm_job_cancel
 Sessions: session_create, session_list, session_set_active, session_get, session_delete, session_clear_all
-Other: list_models, cli_versions, upstream_contracts, cli_upgrade, approval_list, llm_process_health
+Other: list_models, cli_versions, upstream_contracts (use --probe-installed after CLI upgrades to detect drift), cli_upgrade, approval_list, llm_process_health, llm_request_result (read back any persisted request — sync or async — by correlationId)
 
 Key behaviors:
 - Sync auto-defers at ${SYNC_DEADLINE_MS}ms. Poll deferred jobs via llm_job_status/llm_job_result.
 - Sessions: Claude --continue, Gemini --resume, Grok --resume/--continue, Mistral --resume/--continue (current Vibe defaults session logging on; doctor flags explicit session_logging.enabled=false), Codex \`exec resume <ID>\` / \`exec resume --last\` (all real CLI continuity). For Codex, sessionId must be a real Codex UUID (from ~/.codex/sessions/); gateway-generated gw-* IDs are rejected.
 - Approval gates: opt-in via approvalStrategy:"mcp_managed".
+- Upstream drift detection: After upgrading any provider CLI (especially grok), use the upstream_contracts tool with probeInstalled: true (or the CLI command "llm-cli-gateway contracts --json --probe-installed"). This is the primary reliable way to detect when an installed binary has gained or lost flags compared to the gateway's declared contract. The probe is safe and read-only.
 - Idle timeout kills stuck processes (default 10min, configurable via idleTimeoutMs).
 
 Skills (full docs via MCP resources):
@@ -1338,7 +1339,7 @@ export function prepareCodexRequest(params, runtime = resolveGatewayServerRuntim
         }
     }
     // Resume mode: codex exec resume <SESSION_ID|--last> [flags] PROMPT
-    // Note: `codex exec resume` does NOT accept `--full-auto`; the original
+    // Note: `codex exec resume` does NOT accept sandbox policy flags; the original
     // session's approval policy is inherited. We silently drop fullAuto on resume.
     let sessionPlan;
     try {
@@ -1363,16 +1364,16 @@ export function prepareCodexRequest(params, runtime = resolveGatewayServerRuntim
     // Codex sandbox / approval: resolve modern flags + legacy fullAuto shorthand.
     // `codex exec resume` rejects all of these (the original session's policy is
     // inherited), so we only emit them when starting a NEW session.
+    const sandboxFlags = resolveCodexSandboxFlags({
+        sandboxMode: params.sandboxMode,
+        askForApproval: params.askForApproval,
+        fullAuto: params.fullAuto,
+        useLegacyFullAutoFlag: params.useLegacyFullAutoFlag,
+    });
+    if (sandboxFlags.warning) {
+        runtime.logger.warn(`[${corrId}] ${sandboxFlags.warning}`);
+    }
     if (sessionPlan.mode === "new") {
-        const sandboxFlags = resolveCodexSandboxFlags({
-            sandboxMode: params.sandboxMode,
-            askForApproval: params.askForApproval,
-            fullAuto: params.fullAuto,
-            useLegacyFullAutoFlag: params.useLegacyFullAutoFlag,
-        });
-        if (sandboxFlags.warning) {
-            runtime.logger.warn(`[${corrId}] ${sandboxFlags.warning}`);
-        }
         args.push(...sandboxFlags.args);
     }
     if (params.dangerouslyBypassApprovalsAndSandbox) {
@@ -1386,19 +1387,18 @@ export function prepareCodexRequest(params, runtime = resolveGatewayServerRuntim
         args.push("--json");
     }
     args.push("--skip-git-repo-check");
-    // U26: High-impact feature flags. `--search` is rejected by
-    // `codex exec resume` (resume inherits the original session's web-search
-    // state), so we only emit it on a NEW session. `--output-schema`,
-    // `-c key=value`, profile, ephemeral, images, and the ignore-* flags are
-    // all accepted on resume per `codex exec resume --help` (codex-cli 0.133.0)
-    // and are emitted in both branches.
+    // U26: High-impact feature flags. `--search` is retained as a compatibility
+    // input but current `codex exec` no longer accepts it, so the helper warns
+    // and emits no argv. `--profile` is accepted for new sessions only. The other
+    // flags here are accepted on resume per `codex exec resume --help` and are
+    // emitted in both branches.
     let highImpactCleanup;
     if (sessionPlan.mode === "new") {
         // Phase 4 slice ζ: emit working-dir and add-dir on new sessions only.
         // Both flags are listed in CODEX_RESUME_FILTERED_FLAGS — resume inherits
         // the original session's cwd and writable-dir policy, so emitting them
         // on resume would be silently stripped (wasteful + misleading on argv
-        // logs). Gating here mirrors `--search` / `--sandbox` / `--full-auto`.
+        // logs). Gating here mirrors `--search` / `--sandbox`.
         if (params.workingDir) {
             args.push("-C", params.workingDir);
         }
@@ -1420,13 +1420,20 @@ export function prepareCodexRequest(params, runtime = resolveGatewayServerRuntim
         if (high.missingImagePath) {
             return createErrorResponse(params.operation, 1, "", corrId, new Error(`images: path does not exist: ${high.missingImagePath}`));
         }
+        if (high.warning) {
+            runtime.logger.warn(`[${corrId}] ${high.warning}`);
+        }
         args.push(...high.args);
         highImpactCleanup = high.cleanup;
     }
     else {
+        if (params.profile) {
+            runtime.logger.warn(`[${corrId}] profile is ignored on Codex resume because current codex exec resume does not accept --profile.`);
+        }
         const high = prepareCodexHighImpactFlags({
             outputSchema: params.outputSchema,
-            profile: params.profile,
+            search: params.search,
+            profile: undefined,
             configOverrides: params.configOverrides,
             ephemeral: params.ephemeral,
             images: params.images,
@@ -1436,6 +1443,9 @@ export function prepareCodexRequest(params, runtime = resolveGatewayServerRuntim
         if (high.missingImagePath) {
             return createErrorResponse(params.operation, 1, "", corrId, new Error(`images: path does not exist: ${high.missingImagePath}`));
         }
+        if (high.warning) {
+            runtime.logger.warn(`[${corrId}] ${high.warning}`);
+        }
         args.push(...high.args);
         highImpactCleanup = high.cleanup;
     }
@@ -2861,7 +2871,7 @@ export function createGatewayServer(deps = {}) {
             .optional()
             .describe("Claude --agent: dispatch to a named single sub-agent."),
         agents: z
-            .record(z.record(z.unknown()))
+            .record(z.string(), z.record(z.string(), z.unknown()))
             .optional()
             .describe("Claude --agents: inline JSON map of agent name → { description, prompt, tools?, model? }."),
         forkSession: z
@@ -2902,7 +2912,7 @@ export function createGatewayServer(deps = {}) {
             .optional()
             .describe("Claude --fallback-model: model name to auto-fallback to when the default model is overloaded (effective only with --print, which the gateway always uses)."),
         jsonSchema: z
-            .union([z.string(), z.record(z.unknown())])
+            .union([z.string(), z.record(z.string(), z.unknown())])
             .optional()
             .describe("Claude --json-schema: JSON Schema literal (NOT a path) constraining structured output. Object values are JSON.stringify-d; string values are passed verbatim. Use with outputFormat='json'."),
         // Phase 4 slice ζ — Claude additional-workspace-dirs parity
@@ -3170,7 +3180,7 @@ export function createGatewayServer(deps = {}) {
         fullAuto: z
             .boolean()
             .default(false)
-            .describe("DEPRECATED: prefer `sandboxMode` + `askForApproval`. Expands to `--sandbox workspace-write --ask-for-approval never`."),
+            .describe("DEPRECATED: prefer `sandboxMode`. Expands to `--sandbox workspace-write`; current Codex no longer accepts approval-policy flags."),
         sandboxMode: z
             .enum(CODEX_SANDBOX_MODES)
             .optional()
@@ -3178,11 +3188,11 @@ export function createGatewayServer(deps = {}) {
         askForApproval: z
             .enum(CODEX_ASK_FOR_APPROVAL_MODES)
             .optional()
-            .describe("Codex --ask-for-approval: untrusted|on-request|never."),
+            .describe("DEPRECATED compatibility input: accepted but ignored because current Codex no longer accepts --ask-for-approval."),
         useLegacyFullAutoFlag: z
             .boolean()
             .default(false)
-            .describe("Escape hatch: emit `--full-auto` directly instead of expanding (deprecated)."),
+            .describe("DEPRECATED compatibility input: accepted but ignored because current Codex no longer accepts --full-auto."),
         dangerouslyBypassApprovalsAndSandbox: z
             .boolean()
             .default(false)
@@ -3231,10 +3241,13 @@ export function createGatewayServer(deps = {}) {
             .describe("Codex output format. `json` emits --json (JSONL events) so token usage and cost are parsed and reported in the flight recorder. `text` is the default."),
         // U26: high-impact feature flags. All optional.
         outputSchema: z
-            .union([z.string(), z.record(z.unknown())])
+            .union([z.string(), z.record(z.string(), z.unknown())])
             .optional()
             .describe("Codex --output-schema. Pass a path (string) or an inline JSON Schema object; object is materialised to a 0o600 temp file under os.tmpdir() and deleted after the run."),
-        search: z.boolean().optional().describe("Emit Codex --search to enable web search."),
+        search: z
+            .boolean()
+            .optional()
+            .describe("DEPRECATED compatibility input: accepted but ignored because current Codex exec no longer accepts --search."),
         profile: z
             .string()
             .optional()
@@ -3445,7 +3458,7 @@ export function createGatewayServer(deps = {}) {
         askForApproval: z
             .enum(CODEX_ASK_FOR_APPROVAL_MODES)
             .optional()
-            .describe("Codex --ask-for-approval: untrusted|on-request|never."),
+            .describe("DEPRECATED compatibility input: accepted but ignored because current Codex no longer accepts --ask-for-approval."),
         correlationId: z.string().optional().describe("Request trace ID (auto if omitted)"),
         idleTimeoutMs: z
             .number()
@@ -3922,7 +3935,7 @@ export function createGatewayServer(deps = {}) {
                 .optional()
                 .describe("Claude --agent: dispatch to a named single sub-agent."),
             agents: z
-                .record(z.record(z.unknown()))
+                .record(z.string(), z.record(z.string(), z.unknown()))
                 .optional()
                 .describe("Claude --agents: inline JSON map of agent name → { description, prompt, tools?, model? }."),
             forkSession: z
@@ -3963,7 +3976,7 @@ export function createGatewayServer(deps = {}) {
                 .optional()
                 .describe("Claude --fallback-model: model name to auto-fallback to when the default model is overloaded (effective only with --print, which the gateway always uses)."),
             jsonSchema: z
-                .union([z.string(), z.record(z.unknown())])
+                .union([z.string(), z.record(z.string(), z.unknown())])
                 .optional()
                 .describe("Claude --json-schema: JSON Schema literal (NOT a path) constraining structured output. Object values are JSON.stringify-d; string values are passed verbatim. Use with outputFormat='json'."),
             // Phase 4 slice ζ — Claude additional-workspace-dirs parity
@@ -4137,7 +4150,7 @@ export function createGatewayServer(deps = {}) {
             fullAuto: z
                 .boolean()
                 .default(false)
-                .describe("DEPRECATED: prefer `sandboxMode` + `askForApproval`. Expands to `--sandbox workspace-write --ask-for-approval never`."),
+                .describe("DEPRECATED: prefer `sandboxMode`. Expands to `--sandbox workspace-write`; current Codex no longer accepts approval-policy flags."),
             sandboxMode: z
                 .enum(CODEX_SANDBOX_MODES)
                 .optional()
@@ -4145,11 +4158,11 @@ export function createGatewayServer(deps = {}) {
             askForApproval: z
                 .enum(CODEX_ASK_FOR_APPROVAL_MODES)
                 .optional()
-                .describe("Codex --ask-for-approval: untrusted|on-request|never."),
+                .describe("DEPRECATED compatibility input: accepted but ignored because current Codex no longer accepts --ask-for-approval."),
             useLegacyFullAutoFlag: z
                 .boolean()
                 .default(false)
-                .describe("Escape hatch: emit `--full-auto` directly (deprecated)."),
+                .describe("DEPRECATED compatibility input: accepted but ignored because current Codex no longer accepts --full-auto."),
             dangerouslyBypassApprovalsAndSandbox: z
                 .boolean()
                 .default(false)
@@ -4195,10 +4208,13 @@ export function createGatewayServer(deps = {}) {
                 .describe("Codex output format. `json` emits --json (JSONL events) for token usage extraction."),
             // U26: high-impact feature flags. All optional.
             outputSchema: z
-                .union([z.string(), z.record(z.unknown())])
+                .union([z.string(), z.record(z.string(), z.unknown())])
                 .optional()
                 .describe("Codex --output-schema. Pass a path (string) or an inline JSON Schema object."),
-            search: z.boolean().optional().describe("Emit Codex --search to enable web search."),
+            search: z
+                .boolean()
+                .optional()
+                .describe("DEPRECATED compatibility input: accepted but ignored because current Codex exec no longer accepts --search."),
             profile: z.string().optional().describe("Codex --profile <name>."),
             configOverrides: CODEX_CONFIG_OVERRIDES_SCHEMA.describe("Codex -c key=value overrides. Keys: /^[a-zA-Z0-9._]+$/. Values: no CR/LF."),
             ephemeral: z.boolean().optional().describe("Codex --ephemeral."),
@@ -4712,6 +4728,59 @@ export function createGatewayServer(deps = {}) {
             };
         });
     } // end if (asyncJobsEnabled)
+    // Read back any persisted request (sync OR async) by its correlation id.
+    // Registered unconditionally — it reads the flight recorder, which is
+    // independent of async-job persistence. Every sync/async response echoes
+    // its id in `structuredContent.correlationId`; pass that id here to recover
+    // the persisted prompt/response after the inline result is gone. With flight
+    // recording disabled (LLM_GATEWAY_LOGS_DB=none → NoopFlightRecorder) the
+    // query yields no rows and this returns the "not found" shape.
+    server.tool("llm_request_result", {
+        correlationId: z
+            .string()
+            .min(1)
+            .describe("Correlation id from a prior request's structuredContent.correlationId (sync or async)"),
+        maxChars: z
+            .number()
+            .int()
+            .min(1000)
+            .max(2000000)
+            .default(PERSISTED_REQUEST_DEFAULT_MAX_CHARS)
+            .describe("Max chars of the persisted response to return"),
+        includePrompt: z
+            .boolean()
+            .default(false)
+            .describe("Include the full persisted prompt text in the result"),
+    }, async ({ correlationId, maxChars, includePrompt }) => {
+        const record = readPersistedRequest(flightRecorder, correlationId, {
+            maxChars,
+            includePrompt,
+        });
+        if (!record) {
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: JSON.stringify({
+                            success: false,
+                            error: "No persisted request found for this correlation id",
+                            correlationId,
+                            hint: "The id may be wrong, the row may have aged out of the flight recorder, or flight recording is disabled (LLM_GATEWAY_LOGS_DB=none).",
+                        }, null, 2),
+                    },
+                ],
+                isError: true,
+            };
+        }
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify({ success: true, request: record }, null, 2),
+                },
+            ],
+        };
+    });
     server.tool("llm_process_health", {}, async () => {
         const health = asyncJobManager.getJobHealth();
         const persistenceBlock = {
@@ -4793,7 +4862,7 @@ export function createGatewayServer(deps = {}) {
         probeInstalled: z
             .boolean()
             .default(false)
-            .describe("When true, run local --help probes and compare advertised flags"),
+            .describe("When true, run local --help probes and compare advertised flags against the declared contract. Strongly recommended after any provider CLI upgrade to detect drift."),
     }, async ({ cli, probeInstalled }) => {
         const report = buildUpstreamContractReport({ cli, probeInstalled });
         return { content: [{ type: "text", text: JSON.stringify(report, null, 2) }] };
@@ -5224,12 +5293,21 @@ async function main() {
             "Usage:",
             "  llm-cli-gateway [doctor --json|contracts --json|--transport=http|--version]",
             "",
+            "Doctor:",
+            "  doctor --json                     # environment, providers, declared contracts",
+            "  doctor --json --probe-upstream    # + expensive installed --help probe for drift",
+            "",
+            "After upgrading provider CLIs (grok/claude/etc), use --probe-upstream or",
+            "  llm-cli-gateway contracts --json --probe-installed",
+            "to detect when installed binaries have drifted from the gateway contracts.",
+            "",
         ].join("\n"));
         return;
     }
     if (args[0] === "doctor") {
         if (args.includes("--json")) {
-            printDoctorJson();
+            const probeUpstream = args.includes("--probe-upstream") || args.includes("--probe-installed");
+            printDoctorJson({ probeUpstream });
             return;
         }
         process.stderr.write("Only doctor --json is supported in this layer.\n");
@@ -5249,7 +5327,13 @@ async function main() {
             process.stdout.write(JSON.stringify(buildUpstreamContractReport({ cli, probeInstalled }), null, 2) + "\n");
             return;
         }
-        process.stderr.write("Usage: llm-cli-gateway contracts --json [--cli=claude|codex|gemini|grok|mistral] [--probe-installed]\n");
+        process.stderr.write([
+            "Usage: llm-cli-gateway contracts --json [--cli=claude|codex|gemini|grok|mistral] [--probe-installed]",
+            "",
+            "After upgrading any provider CLI, use --probe-installed to detect drift between",
+            "the installed binary's advertised flags and the gateway's declared contract.",
+            "Example: llm-cli-gateway contracts --json --probe-installed --cli=grok",
+        ].join("\n") + "\n");
         process.exit(2);
     }
     const transportArg = args.find(arg => arg.startsWith("--transport="));

package/dist/process-monitor.d.ts

@@ -36,9 +36,8 @@ export declare function parseProcStat(content: string): {
  */
 export declare function parseVmRss(content: string): number | null;
 export declare class ProcessMonitor {
-    private logger;
     private prevSamples;
-    constructor(logger?: Logger);
+    constructor(_logger?: Logger);
     /** Clear all cached CPU samples */
     reset(): void;
     sampleProcess(pid: number): ProcessHealth;

package/dist/process-monitor.js

@@ -3,7 +3,6 @@
  * Gracefully degrades on non-Linux platforms.
  */
 import { readFileSync } from "fs";
-import { noopLogger } from "./logger.js";
 /**
  * Parse /proc/[pid]/stat safely.
  * The `comm` field (field 2) is in parentheses and may contain spaces,
@@ -18,10 +17,14 @@ export function parseProcStat(content) {
     // fields[0] = state, fields[11] = utime (14-3), fields[12] = stime (15-3)
     if (fields.length < 13)
         return null;
+    const utime = parseInt(fields[11], 10);
+    const stime = parseInt(fields[12], 10);
+    if (!Number.isFinite(utime) || !Number.isFinite(stime))
+        return null;
     return {
         state: fields[0],
-        utime: parseInt(fields[11], 10),
-        stime: parseInt(fields[12], 10),
+        utime,
+        stime,
     };
 }
 /**
@@ -48,12 +51,9 @@ function getTotalCpuJiffies() {
     }
 }
 export class ProcessMonitor {
-    logger;
     // Previous samples for CPU delta calculation
     prevSamples = new Map();
-    constructor(logger = noopLogger) {
-        this.logger = logger;
-    }
+    constructor(_logger) { }
     /** Clear all cached CPU samples */
     reset() {
         this.prevSamples.clear();

package/dist/prompt-parts.d.ts

@@ -1,4 +1,4 @@
-import { z } from "zod";
+import { z } from "zod/v3";
 export interface PromptPartsCacheControl {
     system?: boolean;
     tools?: boolean;

package/dist/prompt-parts.js

@@ -1,5 +1,5 @@
 import { createHash } from "crypto";
-import { z } from "zod";
+import { z } from "zod/v3";
 const CacheControlSchema = z
     .object({
     system: z.boolean().optional(),

package/dist/provider-login-guidance.js

@@ -55,16 +55,16 @@ const GUIDANCE = {
     },
     grok: {
         provider: "grok",
-        displayName: "Grok CLI",
+        displayName: "Grok Build",
         install: {
-            summary: "Install Grok CLI using xAI's current official installer or managed update flow.",
-            commands: ["npm install -g grok-build"],
-            documentationUrl: "https://docs.x.ai/build/cli",
+            summary: "Install Grok Build using xAI's current official installer or managed update flow.",
+            commands: ["curl -fsSL https://x.ai/cli/install.sh | bash"],
+            documentationUrl: "https://docs.x.ai/build/overview",
         },
         login: {
             summary: "Sign in through Grok's official OAuth or device-code flow.",
             commands: ["grok login --oauth", "grok login --device-auth"],
-            credentialHandling: "Do not paste xAI API keys, OAuth tokens, or Grok auth files into the gateway or a remote chat.",
+            credentialHandling: "For headless environments, set XAI_API_KEY in the local shell. Do not paste xAI API keys, OAuth tokens, or Grok auth files into the gateway or a remote chat.",
         },
         verification: {
             command: "grok inspect --json",

package/dist/provider-status.js

@@ -182,10 +182,6 @@ export function geminiAuthStatus(env = process.env, home = homedir()) {
     const status = oauth || geminiApiKey || googleApiKey || vertexAi ? "present" : "not_found";
     return { status, methods };
 }
-/** Back-compat shim retained for callers that only need the binary store status. */
-function geminiCredentialStoreStatus() {
-    return geminiAuthStatus().status;
-}
 function grokCredentialStoreStatus() {
     const home = homedir();
     const candidates = [join(home, ".grok", "auth.json"), join(home, ".config", "grok", "auth.json")];

package/dist/request-helpers.d.ts

@@ -1,4 +1,4 @@
-import { z } from "zod";
+import { z } from "zod/v3";
 /** Prefix for gateway-generated session IDs. Enforces provenance structurally. */
 export declare const GATEWAY_SESSION_PREFIX = "gw-";
 export interface SessionResumeResult {
@@ -38,8 +38,8 @@ export declare function resolveSessionResumeArgs(opts: {
  *   - "resume-by-id"   → `codex exec resume [...resume-safe flags] <SESSION_ID> PROMPT`
  *   - "resume-latest"  → `codex exec resume --last [...resume-safe flags] PROMPT`
  *
- * `codex exec resume` rejects `--full-auto`; the original session's approval
- * policy is inherited. Callers MUST filter `--full-auto` out of the flag set
+ * `codex exec resume` rejects sandbox/working-directory policy flags; the original session's approval
+ * policy is inherited. Callers MUST filter those flags out of the flag set
  * when mode is one of the resume forms (see `prepareCodexRequest`).
  *
  * `sessionId` MUST be a real Codex session UUID (as recorded under
@@ -198,41 +198,40 @@ export type GeminiApprovalMode = (typeof GEMINI_APPROVAL_MODES)[number];
 export declare const CODEX_SANDBOX_MODES: readonly ["read-only", "workspace-write", "danger-full-access"];
 export type CodexSandboxMode = (typeof CODEX_SANDBOX_MODES)[number];
 /**
- * Codex approval modes (for `--ask-for-approval <mode>`).
+ * Deprecated Codex approval modes. Current Codex no longer exposes an
+ * `--ask-for-approval` flag; the MCP input is temporarily retained so older
+ * callers do not fail schema validation, but it emits no CLI argv.
  */
 export declare const CODEX_ASK_FOR_APPROVAL_MODES: readonly ["untrusted", "on-request", "never"];
 export type CodexAskForApproval = (typeof CODEX_ASK_FOR_APPROVAL_MODES)[number];
 export interface CodexSandboxFlagsInput {
     /** Modern: explicit sandbox mode. */
     sandboxMode?: CodexSandboxMode;
-    /** Modern: explicit approval mode. */
+    /** Deprecated compatibility input; current Codex exposes no approval-policy flag. */
     askForApproval?: CodexAskForApproval;
-    /** Legacy: shorthand for sandbox=workspace-write + askForApproval=never. */
+    /** Legacy: shorthand for sandbox=workspace-write. */
     fullAuto?: boolean;
     /**
-     * Escape hatch: when true + `fullAuto: true`, emit `--full-auto` directly
-     * instead of expanding. Off by default. Deprecated and removed after
-     * Mistral GA.
+     * Deprecated compatibility input. Current Codex rejects `--full-auto`, so
+     * this no longer changes argv emission.
      */
     useLegacyFullAutoFlag?: boolean;
 }
 export interface CodexSandboxFlagsResult {
     args: string[];
-    /** Set when fullAuto + explicit sandbox/approval are both supplied. */
+    /** Set when deprecated/no-op compatibility inputs are supplied. */
     warning?: string;
 }
 /**
- * Resolve Codex `--sandbox` / `--ask-for-approval` args from the modern
- * params + legacy `fullAuto` shorthand.
+ * Resolve current Codex sandbox args from the modern params + legacy
+ * `fullAuto` shorthand. Current Codex exposes `--sandbox`, but no longer
+ * exposes `--ask-for-approval` or `--full-auto`.
  *
  * Precedence:
- *   1. If `useLegacyFullAutoFlag && fullAuto`, emit `--full-auto` directly
- *      (escape hatch; deprecated).
- *   2. Else explicit `sandboxMode` / `askForApproval` always emit their
- *      flags. If `fullAuto: true` is set alongside, a warning is attached
- *      and the explicit values win.
- *   3. Else if `fullAuto: true`, expand to
- *      `--sandbox workspace-write --ask-for-approval never`.
+ *   1. Explicit `sandboxMode` emits `--sandbox <mode>`.
+ *   2. Else if `fullAuto: true`, expand to `--sandbox workspace-write`.
+ *   3. Deprecated `askForApproval` and `useLegacyFullAutoFlag` emit no argv
+ *      and return warnings for callers to surface/log.
  *   4. Else emit nothing.
  */
 export declare function resolveCodexSandboxFlags(input: CodexSandboxFlagsInput): CodexSandboxFlagsResult;
@@ -240,19 +239,20 @@ export declare function resolveCodexSandboxFlags(input: CodexSandboxFlagsInput):
  * Flags that `codex exec resume` rejects (the original session's policy is
  * inherited). Callers must drop these when building resume argv.
  *
- * Verified against `codex exec resume --help` (codex-cli 0.133.0):
- * `--full-auto`, `--sandbox`, `--ask-for-approval`, `--add-dir`, `-C`, and
- * `--search` are rejected. `--output-schema` and `-c key=value` ARE accepted
- * on resume and therefore are NOT in this filter (Phase 4 slice α restored
- * the previously-silent drop of those two).
+ * Verified against `codex exec resume --help` (codex-cli 0.135.0):
+ * `--sandbox`, `--add-dir`, `-C`, `--cd`, `--profile`, and `--search` are rejected.
+ * Deprecated `--full-auto` / `--ask-for-approval` are kept here defensively so
+ * legacy pre-filtered segments are stripped instead of reaching spawn.
+ * `--output-schema` and `-c key=value` ARE accepted on resume and therefore are
+ * NOT in this filter (Phase 4 slice α restored the previously-silent drop of those two).
  */
 export declare const CODEX_RESUME_FILTERED_FLAGS: ReadonlySet<string>;
 /**
  * Strip resume-incompatible flag/value pairs from a Codex argv segment.
  *
  * Bare flags (`--full-auto`, `--search`) drop without consuming a value.
- * Value-taking flags (`--sandbox`, `--ask-for-approval`, `--add-dir`, `-C`,
- * `--output-schema`) drop together with their immediately-following value.
+ * Value-taking flags (`--sandbox`, `--ask-for-approval`, `--add-dir`, `-C`, `--cd`,
+ * `--profile`) drop together with their immediately-following value.
  */
 export declare function filterCodexResumeFlags(args: string[]): string[];
 /**
@@ -492,6 +492,8 @@ export interface CodexHighImpactFlagsResult {
     cleanup: () => void;
     /** First missing image path, if any. When set, the caller should bail before spawning. */
     missingImagePath: string | null;
+    /** Set when deprecated/no-op compatibility inputs are supplied. */
+    warning?: string;
 }
 /**
  * Build the U26 argv segment AND any required side-effect handles.