core: defer fork context injection to first turn

Co-authored-by: Codex <noreply@openai.com>

Author: charley-oai

codex-rs/core/src/codex.rs

@@ -2178,15 +2178,6 @@ impl Session {
                     self.persist_rollout_items(&rollout_items).await;
                 }
 
-                // Append the current session's initial context after the reconstructed history.
-                let initial_context = self.build_initial_context(&turn_context).await;
-                self.record_conversation_items(&turn_context, &initial_context)
-                    .await;
-                {
-                    let mut state = self.state.lock().await;
-                    state.note_model_visible_turn_context(turn_context.to_turn_context_item());
-                }
-
                 // Forked threads should remain file-backed immediately after startup.
                 self.ensure_rollout_materialized().await;
 

codex-rs/core/src/codex_tests.rs

@@ -1146,18 +1146,12 @@ async fn recompute_token_usage_updates_model_context_window() {
 #[tokio::test]
 async fn record_initial_history_reconstructs_forked_transcript() {
     let (session, turn_context) = make_session_and_context().await;
-    let (rollout_items, mut expected) = sample_rollout(&session, &turn_context).await;
+    let (rollout_items, expected) = sample_rollout(&session, &turn_context).await;
 
     session
         .record_initial_history(InitialHistory::Forked(rollout_items))
         .await;
 
-    let reconstruction_turn = session.new_default_turn().await;
-    expected.extend(
-        session
-            .build_initial_context(reconstruction_turn.as_ref())
-            .await,
-    );
     let history = session.state.lock().await.clone_history();
     assert_eq!(expected, history.raw_items());
 }
@@ -1284,7 +1278,7 @@ async fn fork_startup_context_then_first_turn_diff_snapshot() -> anyhow::Result<
 }
 
 #[tokio::test]
-async fn record_initial_history_forked_advances_previous_turn_settings_to_current_baseline() {
+async fn record_initial_history_forked_preserves_previous_turn_settings_until_first_turn() {
     let (session, turn_context) = make_session_and_context().await;
     let previous_model = "forked-rollout-model";
     let previous_context_item = TurnContextItem {
@@ -1327,7 +1321,7 @@ async fn record_initial_history_forked_advances_previous_turn_settings_to_curren
                 text_elements: Vec::new(),
             },
         )),
-        RolloutItem::TurnContext(previous_context_item),
+        RolloutItem::TurnContext(previous_context_item.clone()),
         RolloutItem::EventMsg(EventMsg::TurnComplete(
             codex_protocol::protocol::TurnCompleteEvent {
                 turn_id,
@@ -1340,13 +1334,49 @@ async fn record_initial_history_forked_advances_previous_turn_settings_to_curren
         .record_initial_history(InitialHistory::Forked(rollout_items))
         .await;
 
+    assert_eq!(
+        session.previous_turn_settings().await,
+        Some(PreviousTurnSettings {
+            model: previous_model.to_string(),
+            realtime_active: Some(turn_context.realtime_active),
+        })
+    );
+    assert_eq!(
+        serde_json::to_value(session.reference_context_item().await)
+            .expect("serialize forked reference context item"),
+        serde_json::to_value(Some(previous_context_item.clone()))
+            .expect("serialize expected forked reference context item")
+    );
+
+    let history_before_update = session.clone_history().await.raw_items().to_vec();
+    let update_items = session
+        .build_settings_update_items(Some(&previous_context_item), &turn_context)
+        .await;
+    assert!(!update_items.is_empty());
+
+    session
+        .record_context_updates_and_set_reference_context_item(&turn_context)
+        .await;
+
+    let mut expected_history = history_before_update;
+    expected_history.extend(update_items);
+    assert_eq!(
+        session.clone_history().await.raw_items().to_vec(),
+        expected_history
+    );
     assert_eq!(
         session.previous_turn_settings().await,
         Some(PreviousTurnSettings {
             model: turn_context.model_info.slug.clone(),
             realtime_active: Some(turn_context.realtime_active),
         })
     );
+    assert_eq!(
+        serde_json::to_value(session.reference_context_item().await)
+            .expect("serialize current reference context item"),
+        serde_json::to_value(Some(turn_context.to_turn_context_item()))
+            .expect("serialize expected current reference context item")
+    );
 }
 
 #[tokio::test]

codex-rs/core/src/snapshots/codex_core__codex_tests__fork_startup_context_then_first_turn_diff.snap

@@ -9,9 +9,7 @@ Scenario: First request after fork when fork startup changes approval policy and
 00:message/developer:<permissions instructions>\nFilesystem sandboxing defines which files can be read or written. `sandbox_mode` is `read-only`: The sandbox only permits reading files. Network access is restricted.\n# Escalation Requests\n\nCommands are run outside the sandbox if they are approved by the user, or match an existing rule that allows it to run unrestricted. The command string is split into independent command segments at shell control operators, including but not limited to:\n\n- Pipes: |\n- Logical operators: &&, ||\n- Command separators: ;\n- Subshell boundaries: (...), $(...)\n\nEach resulting segment is evaluated independently for sandbox restrictions and approval requirements.\n\nExample:\n\ngit pull | tee output.txt\n\nThis is treated as two command segments:\n\n["git", "pull"]\n\n["tee", "output.txt"]\n\nCommands that use more advanced shell features like redirection (>, >>, <), substitutions ($(...), ...), environment variables (FOO=bar), or wildcard patterns (*, ?) will not be evaluated against rules, to limit the scope of what an approved rule allows.\n\n## How to request escalation\n\nIMPORTANT: To request approval to execute a command that will require escalated privileges:\n\n- Provide the `sandbox_permissions` parameter with the value `"require_escalated"`\n- Include a short question asking the user if they want to allow the action in `justification` parameter. e.g. "Do you want to download and install dependencies for this project?"\n- Optionally suggest a `prefix_rule` - this will be shown to the user with an option to persist the rule approval for future sessions.\n\nIf you run a command that is important to solving the user's query, but it fails because of sandboxing or with a likely sandbox-related network error (for example DNS/host resolution, registry/index access, or dependency download failure), rerun the command with "require_escalated". ALWAYS proceed to use the `justification` parameter - do not message the user before requesting approval for the command.\n\n## When to request escalation\n\nWhile commands are running inside the sandbox, here are some scenarios that will require escalation outside the sandbox:\n\n- You need to run a command that writes to a directory that requires it (e.g. running tests that write to /var)\n- You need to run a GUI app (e.g., open/xdg-open/osascript) to open browsers or files.\n- If you run a command that is important to solving the user's query, but it fails because of sandboxing or with a likely sandbox-related network error (for example DNS/host resolution, registry/index access, or dependency download failure), rerun the command with `require_escalated`. ALWAYS proceed to use the `sandbox_permissions` and `justification` parameters. do not message the user before requesting approval for the command.\n- You are about to take a potentially destructive action such as an `rm` or `git reset` that the user did not explicitly ask for.\n- Be judicious with escalating, but if completing the user's request requires it, you should do so - don't try and circumvent approvals by using other tools.\n\n## prefix_rule guidance\n\nWhen choosing a `prefix_rule`, request one that will allow you to fulfill similar requests from the user in the future without re-requesting escalation. It should be categorical and reasonably scoped to similar capabilities. You should rarely pass the entire command into `prefix_rule`.\n\n### Banned prefix_rules \nAvoid requesting overly broad prefixes that the user would be ill-advised to approve. For example, do not request ["python3"], ["python", "-"], or other similar prefixes that would allow arbitrary scripting.\nNEVER provide a prefix_rule argument for destructive commands like rm.\nNEVER provide a prefix_rule if your command uses a heredoc or herestring. \n\n### Examples\nGood examples of prefixes:\n- ["npm", "run", "dev"]\n- ["gh", "pr", "check"]\n- ["cargo", "test"]\n</permissions instructions>
 01:message/user:<environment_context>\n  <cwd><CWD></cwd>\n  <shell>zsh</shell>\n  <current_date><CURRENT_DATE></current_date>\n  <timezone>America/Los_Angeles</timezone>\n</environment_context>
 02:message/user:fork seed
-03:message/developer:<permissions instructions>\nFilesystem sandboxing defines which files can be read or written. `sandbox_mode` is `read-only`: The sandbox only permits reading files. Network access is restricted.\n Approvals are your mechanism to get user consent to run shell commands without the sandbox. `approval_policy` is `unless-trusted`: The harness will escalate most commands for user approval, apart from a limited allowlist of safe "read" commands.\n</permissions instructions>
-04:message/user:<environment_context>\n  <cwd><CWD></cwd>\n  <shell>zsh</shell>\n  <current_date><CURRENT_DATE></current_date>\n  <timezone>America/Los_Angeles</timezone>\n</environment_context>
-05:message/developer[2]:
+03:message/developer[2]:
     [01] <permissions instructions>\nFilesystem sandboxing defines which files can be read or written. `sandbox_mode` is `read-only`: The sandbox only permits reading files. Network access is restricted.\nApproval policy is currently never. Do not provide the `sandbox_permissions` for any reason, commands will be rejected.\n</permissions instructions>
     [02] <collaboration_mode>Fork turn collaboration instructions.</collaboration_mode>
-06:message/user:after fork
+04:message/user:after fork