Use the Codex plugin when you want a Codex-local entrypoint over the public native runtimes and admin-profiles commands.
If you only need a terminal assistant over the same Codex app-server bridge, start with:
  tunnel-client codex assistant "Summarize the current tunnel setup."

Native command surfaces:
  tunnel-client runtimes create ...
  tunnel-client runtimes connect ...
  tunnel-client runtimes list
  tunnel-client runtimes status <alias>
  tunnel-client runtimes stop <alias>
  tunnel-client runtimes rm <alias>
  tunnel-client admin-profiles list
  tunnel-client admin-profiles set <name> --admin-key env:OPENAI_ADMIN_KEY
  tunnel-client codex status

Permission model:
  - connect --tunnel-id with an existing tunnel needs a runtime key whose principal has Tunnels Read + Use.
  - create/connect without --tunnel-id, and remote list/update/delete workflows, need an admin key plus Tunnels Read + Manage.
  - if the same Codex user will select the tunnel in ChatGPT connector settings, also grant Tunnels Use.
  - store admin/runtime key references such as env:OPENAI_ADMIN_KEY and env:CONTROL_PLANE_API_KEY; never pass literal keys.

Preferred install path from the binary:
  tunnel-client codex plugin install

To remove or reset the installed plugin bundle:
  tunnel-client codex plugin uninstall

If you want to inspect the bundle first:
  tunnel-client codex plugin export --dir /tmp/tunnel-plugin
{{PLUGIN_BUNDLE_INSTALL_COMMAND}}

If Codex is installed locally but the plugin is missing, doctor and startup guidance will point you back to:
  tunnel-client codex plugin install

Plugin runtime semantics:
  - the installed plugin is a thin router onto `tunnel-client runtimes ...` and `tunnel-client admin-profiles ...`
  - once installed, prefer the plugin router and its persisted `.tunnel-client-bin` hint over an ambient `tunnel-client` on PATH
  - connect success means a usable local runtime exists, not merely that a launch command was issued
  - healthy = the managed runtime is alive and /healthz is reachable
  - ready is reported separately so agents can distinguish startup success from the full OAuth/MCP ready contract
  - status reports local runtime state first and includes the explicit ui_url when available
  - stop or disconnect tears down the managed local runtime without deleting the tunnel itself
  - `tunnel-client codex status` reports plugin files on disk separately from Codex bridge/assistant readiness; after uninstall, already-running Codex sessions may still have previously loaded tunnel-mcp state until restart

Useful native commands:
  tunnel-client runtimes status <alias>
  tunnel-client runtimes stop <alias>
  tunnel-client runtimes disconnect <alias>
  tunnel-client admin-profiles list

Useful plugin aliases inside Codex:
  scripts/tunnel_mcp status <alias>
  scripts/tunnel_mcp stop <alias>
  scripts/tunnel_mcp disconnect <alias>
  scripts/tunnel_mcp rm <alias>
