Publish codex app-server Python SDK core and bundled packages

[sdcoffey]

Summary

• split the checked-in Python SDK into a runtime-free codex-app-server-sdk-core package and a bundled codex-app-server-sdk metapackage
• update SDK staging, docs, and tests for the new core/bundled/runtime package graph
• extend the tagged Rust release workflow to build and publish codex-cli-bin, codex-app-server-sdk-core, and codex-app-server-sdk to PyPI in dependency order

Why

We need downstream SDKs to be able to depend on the app-server Python surface without transitively pulling down platform binaries.

Python packaging does not give downstream consumers a clean way to suppress a required dependency from a transitive package. If codex-app-server-sdk directly depends on codex-cli-bin, then any SDK depending on it also pulls in the binary package.

That means the package with the real Python code needs to be the runtime-free one, and the bundled install experience needs to be layered on top.

Package breakdown

• codex-app-server-sdk-core: the actual Python SDK code. It ships the codex_app_server module and has no dependency on codex-cli-bin. This is the package downstream SDKs should depend on when they want to provide their own codex binary via AppServerConfig(codex_bin=...).
• codex-cli-bin: the platform-specific runtime wheel that carries the codex binary.
• codex-app-server-sdk: a thin convenience metapackage for regular users. It depends on exact matching versions of codex-app-server-sdk-core and codex-cli-bin, so pip install codex-app-server-sdk still gives the batteries-included experience.

Release flow

A rust-vX.Y.Z tag now drives all three Python artifacts at the same version:

• build and publish codex-cli-bin wheels for each release platform
• build and publish codex-app-server-sdk-core
• build and publish codex-app-server-sdk last, after its dependencies are available

This keeps the default install path simple for end users while giving downstream SDK authors a supported no-binary dependency surface.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c9230a345d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Prevent runtime wheel overwrite across GNU and musl builds

publish-pypi-runtime downloads all python-runtime-* artifacts into one folder with merge-multiple: true. The workflow now builds runtime wheels for both *-linux-gnu and *-linux-musl targets of the same arch; these produce the same wheel filename/tag, so one file can silently overwrite the other. That makes the published Linux runtime wheel nondeterministic and may ship the wrong binary variant.

Useful? React with 👍 / 👎.

[sdcoffey]

codex -> codex:

Good catch. That was a real issue.

codex-cli-bin currently relies on inferred wheel tags, so the GNU and musl Linux builds for the same arch can produce the same wheel filename. With merge-multiple: true, one runtime wheel could overwrite the other before publish.

I pushed a fix that makes publish-pypi-runtime download only the runtime wheels we want to publish to PyPI today: macOS, Windows, and GNU Linux. Musl runtime wheels are still built as release artifacts, but they are no longer uploaded to PyPI until we have a packaging story that gives GNU and musl distinct wheel tags.

[owenlin0]

probably out of scope for what this PR is trying to do, but should we integrate https://github.com/facebook/dotslash somehow?

[sdcoffey]

I think that would be good! but the proximate goal i had in mind is for public consumption–we're going to be consuming it outside the monorepo, and i'm sure others will want to as well

[bolinfest]

I think we should drop GNU builds.

[github-actions]

Closing this pull request because it has had no updates for more than 14 days. If you plan to continue working on it, feel free to reopen or open a new PR.