build(deps): bump @openai/codex-sdk from 0.91.0 to 0.99.0

[dependabot]

Bumps @openai/codex-sdk from 0.91.0 to 0.99.0.

Release notes

Sourced from @​openai/codex-sdk's releases.

0.99.0

New Features

• Running direct shell commands no longer interrupts an in-flight turn; commands can execute concurrently when a turn is active. (#10513)
• Added /statusline to configure which metadata appears in the TUI footer interactively. (#10546)
• The TUI resume picker can now toggle sort order between creation time and last-updated time with an in-picker mode indicator. (#10752)
• App-server clients now get dedicated APIs for steering active turns, listing experimental features, resuming agents, and opting out of specific notifications. (#10721, #10821, #10903, #11319)
• Enterprise/admin requirements can now restrict web search modes and define network constraints through requirements.toml. (#10964, #10958)
• Image attachments now accept GIF and WebP inputs in addition to existing formats. (#11237)
• Enable snapshotting of the shell environment and rc files (#11172)

Bug Fixes

• Fixed a Windows startup issue where buffered keypresses could cause the TUI sign-in flow to exit immediately. (#10729)
• Required MCP servers now fail fast during start/resume flows instead of continuing in a broken state. (#10902)
• Fixed a file-watcher bug that emitted spurious skills reload events and could generate very large log files. (#11217)
• Improved TUI input reliability: long option labels wrap correctly, Tab submits in steer mode when idle, history recall keeps cursor placement consistent, and stashed drafts restore image placeholders correctly. (#11123, #10035, #11295, #9040)
• Fixed model-modality edge cases by surfacing clearer view_image errors on text-only models and stripping unsupported image history during model switches. (#11336, #11349)
• Reduced false approval mismatches for wrapped/heredoc shell commands and guarded against empty command lists in exec policy evaluation. (#10941, #11397)

Documentation

• Expanded app-server docs and protocol references for turn/steer, experimental-feature discovery, resume_agent, notification opt-outs, and null developer_instructions normalization. (#10721, #10821, #10903, #10983, #11319)
• Updated TUI composer docs to reflect draft/image restoration, steer-mode Tab submit behavior, and history-navigation cursor semantics. (#9040, #10035, #11295)

Chores

• Reworked npm release packaging so platform-specific binaries are distributed via @openai/codex dist-tags, reducing package-size pressure while preserving platform-specific installs (including @alpha). (#11318, #11339)
• Pulled in a security-driven dependency update for time (RUSTSEC-2026-0009). (#10876)

Changelog

Full Changelog: openai/codex@rust-v0.98.0...rust-v0.99.0

• #10729 fix(tui): flush input buffer on init to prevent early exit on Windows @​Ashutosh0x
• #10689 fix: flaky landlock @​jif-oai
• #10513 Allow user shell commands to run alongside active turns @​jif-oai
• #10738 nit: backfill stronger @​jif-oai
• #10246 adding fork information (UI) when forking @​pap-openai
• #10748 Update explorer role default model @​jif-oai
• #10425 Include real OS info in metrics. @​iceweasel-oai
• #10745 feat: resumable backfill @​jif-oai
• #10758 feat: wire ephemeral in codex exec @​jif-oai
• #10756 chore: handle shutdown correctly in tui @​jif-oai
• #10637 feat: add memory tool @​jif-oai
• #10751 feat: repair DB in case of missing lines @​jif-oai
• #10762 nit: add DB version in discrepancy recording @​jif-oai
• #10621 Leverage state DB metadata for thread summaries @​jif-oai
• #9691 Add hooks implementation and wire up to notify @​gt-oai
• #10546 feat(tui): add /statusline command for interactive status line configuration @​fcoury

... (truncated)

Commits

• 1dc06b6 fix: ensure resume args precede image args (#10709)
• 9327e99 Fix minor typos in comments and documentation (#10287)
• 4d9ae3a fix: remove references to corepack (#10138)
• 894923e feat: make it possible to specify --config flags in the SDK (#10003)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #483.