Codex System Handbook

Transport and server runtime initialization

stage-840 files

This stage sets up the communication roads used by server-style runs of the system. It happens during startup and then stays active during the main work loop, carrying requests, replies, and notifications between clients, servers, and helper processes. Most of these messages use JSON-RPC, a simple pattern where one side sends a named request in JSON and the other side sends back a matching response.

One part brings up the main app server and its daemon, which is a background process that can be started, stopped, checked, and reused. It opens transports such as standard input/output, Unix sockets, and WebSockets, then routes messages through the server and remote-control connections.

The other part starts sidecar servers: small helper services that sit beside the main process. Exec servers run commands through shared channels, encrypted relays connect remote clients safely, MCP servers expose tools, and proxy bridges connect local programs or network traffic under controlled rules. Together, these pieces form the switchboard that lets the rest of the system talk reliably.

Sub-stages

State registers touched16
  • reg-http-network-clientThe shared network client setup, including retries, streaming, cookies, proxy settings, TLS handling, and request failure reporting.
  • reg-tls-crypto-providerThe one process-wide cryptography provider chosen early so HTTPS and other TLS connections use the same security engine.
  • reg-app-server-runtimeThe live app-server or daemon state, including open transports, connected clients, request routing, and server lifecycle status.
  • reg-remote-control-relayThe remote-control, relay, socket, WebSocket, and encrypted connection state used to connect clients and helper processes.
  • reg-network-proxy-policyThe managed proxy and network-forwarding state that decides what network traffic is allowed, forwarded, or blocked.
  • reg-exec-environmentThe active command-execution setup, including local or remote executor choice, sandbox helper paths, runtime paths, and process execution capabilities.
  • reg-process-registryThe shared record of running or tracked external processes, their identifiers, input/output streams, terminal sizes, and completion state.
  • reg-mcp-server-sessionsThe configured and connected MCP tool servers, their tools, resources, login state, approval rules, and active sessions.
  • reg-observability-telemetryThe shared logs, traces, metrics, analytics facts, rollout tracing, debug captures, and feedback evidence used to understand what happened.
  • reg-realtime-stream-stateActive realtime conversation state, including audio/text stream sessions, WebSocket transport state, buffers, and stop/cancel lifecycle data.
  • reg-filesystem-watch-subscriptionsActive file and directory watch subscriptions, invalidation signals, and watcher-to-client mappings used for skills, plugin/config refreshes, and app-server file APIs.
  • reg-windows-sandbox-readinessPrepared Windows sandbox accounts, helper readiness, setup status, and client-visible sandbox availability separate from the policy rules themselves.
  • reg-attestation-stateClient or host attestation provider state and generated proof metadata used to attach optional attestation headers to upstream requests.
  • reg-process-hardening-stateProcess-wide hardening status and OS security settings applied at bootstrap, such as dump/inspection/tamper restrictions that affect the rest of the run.
  • reg-ide-integration-stateActive IDE-link state such as connected IDE clients, workspace metadata, open file or selection context, and IDE details injected into prompts or server notifications.
  • reg-outgoing-transport-buffersQueued outbound protocol messages, write buffers, and backpressure state for app-server, daemon, exec-server, and remote transports.