diff --git a/CHANGELOG.md b/CHANGELOG.md
index cb13e69d686..f6a98f2ca79 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,415 +1,26 @@
 # Changelog
 
-All notable changes to this project will be documented in this file.
+Current canonical version: **v3.0.0**.
+Canonical source: `VERSION`. Fork/upstream disambiguation lives in `version-metadata.json`.
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## Current Release — v3.0.0 (2026-03-19)
 
-## [3.0.1] - 2026-03-19 - "Repository Sync Governance"
-
-### Added
-
-- Canonical remote definitions for `origin` (`https://github.com/zapabob/codex.git`) and `upstream` (`https://github.com/openai/codex.git`) are now fixed in the repository sync workflow.
-- Machine-readable upstream provenance is now recorded in `releases/upstream-sync.json`.
-- A reproducible `scripts/sync-upstream.sh` workflow and `just` tasks now define the equivalent of `git merge upstream/main`.
+> This root changelog is the **current release line only**.
+> Legacy v2.x history has been moved to `releases/legacy/v2.x/CHANGELOG.md` to make the latest release immediately obvious.
 
 ### Changed
 
-- Release and repository documentation now express upstream intake using structured fields instead of free-form “officially synced” language.
-- Upstream tracking is fixed to `upstream/main`, with release tags tracked under the `rust-v*` primary rule and `v*` secondary compatibility rule.
-- Conflict handling is now documented for `codex-rs/deep-research/`, `codex-rs/supervisor/`, `.codex/skills/`, and Git4D / VR modules.
-
-### Upstream Intake Record
-
-- `source.repository`: `https://github.com/openai/codex.git`
-- `source.branch`: `main`
-- `source.commit`: `668330acc12b8907ecd82bc15148e0a627246783`
-- `source.tag`: `null` (no exact upstream tag on the imported commit)
-- `recorded_at`: `2026-03-19T20:08:57Z`
-
-## [2.17.0] - 2026-02-20 - "Upstream Sync & API Refinements"
-
-### 🚀 Major Features
-
-**This release merges the latest upstream commits from openai/codex, incorporating new API changes, bug fixes, and security updates while preserving all custom zapabob extensions.**
-
-### ✨ Added (from upstream)
-
-- **MCP OAuth Support** - Enhanced MCP server authentication with OAuth flow
-- **Permissions Proxy** - New permissions proxy layer for fine-grained access control
-- **Auth Plan Support** - Session info now includes auth plan for better UX
-- **AnimationEnabled API Change** - Frame scheduler replaces direct animations_enabled flag
-- **Apps Tools Cache Context** - New cache context parameter for MCP client initialization
-- **Model Catalog Integration** - ModelsManager and ThreadManager now accept optional model catalog
-
-### 🔒 Security (from upstream)
-
-- **CVE-2026-24842** - Addressed identified security vulnerability
-- Dependency updates across Node.js ecosystem (pnpm audit fixes)
-
-### 🔧 Fixed
-
-- `find_model_info_for_slug` renamed to `model_info_from_slug` (API alignment)
-- `CancelErr` struct pattern matching updated (was enum variant, now struct)
-- `ToolRouter::from_config` app_tools parameter added
-- `UnifiedExecProcessDetails` now includes `recent_chunks` field
-- `spinner()` function signature simplified (removed `animations_enabled` parameter)
-- History cell module structure aligned with upstream flat layout
-
-### 🛠️ Custom Features Preserved (zapabob)
-
-- Deep Research multi-source module (`codex-rs/deep-research/`)
-- Supervisor agent lifecycle management (`codex-rs/supervisor/`)
-- Remote image URLs support in UserMessage
-- Git4D feature gates maintained
-- Web search call animations support
-
----
-
-## [2.16.0] - 2026-02-13 - "Upstream Sync & Security Hardening"
-
-### 🚀 Major Features
-
-**This release merges 226 upstream commits from openai/codex, incorporating the latest security fixes, bug fixes, and new features while preserving all custom zapabob extensions.**
-
-### ✅ Added (from upstream)
-
-- **Apps MCP Gateway** (`apps_mcp_gateway`) - New gateway for apps integration
-- **Shell Tool MCP** - Patched zsh build pipeline for improved shell execution
-- **Thread/List CWD** - Added `cwd` as optional field to thread/list API
-- **Feature Flags Testing** - Verify enabled-by-default feature flags are stable
-- **TurnContextItem Persistence** - Complete state persisted via canonical conversion
-- **Approvals Scenarios** - More comprehensive approval workflow testing
-
-### 🔒 Security (from upstream)
-
-- **DNS Rebinding Fix** - Resolved DNS rebinding vulnerability in network proxy
-- **Sandbox Bypass Fix** - Fixed sandbox bypass vulnerability
-- **Exec Policy Path Confusion** - Resolved path confusion in exec policy
-- **Case-Insensitivity Vulnerability** - Fixed case-insensitive matching exploit
-- **Git Command Safety** - Removed git commands from dangerous command checks
-
-### 🐛 Fixed (from upstream)
-
-- **NUX Display** - Don't show NUX for upgrade-target models that are hidden
-- **App Loading Logic** - Fixed app loading sequence
-- **TUI Improvements** - Delta streaming, compaction events, approvals UI
-
-### 📦 Preserved Custom Features (zapabob)
-
-- `codex-gui-x/` - Custom GUI implementation
-- `prism-mcp-server/`, `prism-web/` - Prism MCP integrations
-- WebXR Git visualization with cyberpunk effects
-- AI tool orchestration (task distribution, result integration)
-- Bilingual README and GH Pages
-- Fast build system and hot reload installation
-- CI/CD customizations and release packaging
-
-### 🔧 Technical Details
-
-- **Merge Strategy**: `git merge upstream/main` with Python-automated conflict resolution
-- **Conflicts Resolved**: 51 files (0 failures)
-- **Upstream Commits Merged**: 226
-- **Files Changed**: 594 files (+41,384 / -11,057 lines)
-- **Module Restructuring**: `codex-rs/common/` merged into `codex-rs/utils/cli/`, hooks module restructured
-
-### 📈 Dependencies
-
-- pnpm 10.28.2, node >=22
-- Various Cargo dependency updates (axum, clap, tokio, etc.)
-
----
-
-## [2.9.0] - 2026-01-04 - "Fast Build & Hot Reload System"
-
-### 🚀 Major Features
-
-**This release introduces a complete build and deployment pipeline overhaul with hot reload capabilities and integrated release packaging.**
-
-### ✅ Added
-
-- **Fast Incremental Build System (`scripts/fast_build.py` + `scripts/upstream_sync.py`)**
-  - MD5 hash-based change detection for intelligent rebuilds
-  - Cargo incremental compilation optimization
-  - Parallel build processing with CPU core utilization
-  - tqdm-powered progress visualization
-  - Build cache persistence (`.codex-fast-build-cache.json`)
-
-- **Hot Reload Installation System (`scripts/fast_build.py fast-build-install`)**
-  - Cross-platform process detection and termination (psutil)
-  - Atomic binary replacement with safety checks
-  - Platform-specific installation (Windows/macOS/Linux)
-  - Installation verification with version checking
-  - PowerShell wrapper (`codex-rs/fast_build.ps1`) plus `just fast-build*` entry points
-
-- **Integrated Release Packaging**
-  - GitHub Actions workflow for cross-platform tgz packages
-  - All-platform binaries in single downloadable archive
-  - Automated install script generation (`install.sh`)
-  - Comprehensive release documentation (`INSTALL.md`)
-  - Release notes with installation instructions
-
-- **Development Tools Enhancement**
-  - `just fast-build` - Quick incremental builds
-  - `just fast-build-install` - Full pipeline execution
-  - `just upstream-sync` - Upstream merge + resolver orchestration
-  - Process-safe deployment with zero-downtime updates
-
-### 🎯 Performance Improvements
-
-- **Build Speed**: Up to 70% faster incremental builds with change detection
-- **Deployment Time**: Instant hot reload with process management
-- **Release Size**: Optimized binaries with integrated packaging
-- **Developer Experience**: One-command build and deploy workflow
-
-### 🔧 Technical Details
-
-- **Incremental Compilation**: Leverages Cargo's incremental features
-- **Process Management**: Safe termination with psutil cross-platform support
-- **Package Distribution**: Unified tgz format for all target platforms
-- **Cache Strategy**: Persistent build state with intelligent invalidation
-
-### 📦 Distribution
-
-- **Release Archive**: Single `codex-2.9.0.tgz` containing all platform binaries
-- **Installation**: `./install.sh` for automatic platform detection and setup
-- **Verification**: Built-in version checking and integrity validation
-
-## [2.8.3] - 2026-01-03 - "Build System Improvements & Repository Organization"
-
-### 🎯 Interview-Ready Release
-
-**This release transforms Codex from a personal project into enterprise-ready tooling with comprehensive documentation, benchmarks, and security hardening.**
-
-### ✅ Added
-
-- **Interview-Focused Documentation Suite**
-  - `docs/plan/README.md` - 5-minute Plan Mode quickstart guide
-  - `docs/benchmarks/` - Performance measurement methodology (Sub-agents: 2.6x speedup, CUDA: 3.7x speedup)
-  - `examples/` - Production-ready sample projects (Node.js API, React Todo App)
-  - `SECURITY.md` - Detailed sandbox architecture and audit logging
-
-- **Real-World Examples**
-  - `examples/node-api/` - REST API with Jest testing (96% quality score)
-  - `examples/react-todo/` - React + TypeScript app with localStorage persistence
-  - Sample projects demonstrate Codex's Plan Mode and Sub-agent orchestration
-
-- **Benchmark Infrastructure**
-  - Sub-agent performance measurement achieving 2.59x average speedup
-  - CUDA acceleration benchmarks with 3.74x GPU speedup
-  - Quality metrics: Type safety (100%), Code style (98.2%), Test coverage (96.7%)
-
-- **Security Hardening**
-  - Process isolation with read-only default sandbox
-  - Structured audit logging with HMAC signatures
-  - Approval gates for risky operations (shell, network, package install)
-
-### 🔧 Changed
-
-- **README.md** - Complete rewrite for interview-readiness
-  - Removed "production-ready" claims, replaced with "stable/experimental" status
-  - Added "Why Codex?" and "Safety model" sections
-  - Feature matrix now links to real documentation paths
-  - Status: CLI + Plan Mode + Sub-agents marked as **stable**
-
-- **Documentation Structure**
-  - Moved from scattered docs to organized structure
-  - Added proof links for all feature claims
-  - Included adoption-focused use cases
-
-### 🐛 Fixed
-
-- Build system compilation errors (22 fixed)
-- Type safety improvements throughout codebase
-- Repository organization (6,979 files systematically organized)
-
-### 📈 Performance
-
-- **Sub-agent Speedup**: 2.59x average across test cases
-- **CUDA Acceleration**: 3.74x speedup on RTX 3080
-- **Quality Maintenance**: 97.5% average quality score with parallel execution
-- **Build Performance**: sccache integration for faster incremental builds
-
-### 🔒 Security
-
-- Default sandbox: read-only mode
-- Explicit approval required for file writes, shell commands, network access
-- Comprehensive audit logging with tamper-evident signatures
-- Zero-day vulnerability count: 0 (v2.8.3)
-
-## [2.8.0] - 2025-12-15 - "CUDA Acceleration & Quality Assurance"
-
-### ✅ Added
-
-- **CUDA Acceleration Support**
-  - GPU-accelerated code analysis and generation
-  - RTX 30xx/40xx series compatibility
-  - Memory-efficient batch processing
-
-- **Quality Assurance Pipeline**
-  - Automated code review agents
-  - Parallel test generation and execution
-  - Type safety enforcement
-
-### 📈 Performance
-
-- **CUDA Benchmark Results**:
-  - Large codebase analysis: 3.67x speedup
-  - Parallel compilation: 3.61x speedup
-  - ML inference support: 3.94x speedup
-- **Average GPU Utilization**: 85%
-- **Memory Efficiency**: 73% of GPU memory utilized
-
-## [2.7.5] - 2025-11-28 - "Sub-Agent Orchestration"
-
-### ✅ Added
-
-- **Parallel Sub-Agent System**
-  - Backend, Frontend, Database, Security, QA agents
-  - Intelligent task decomposition
-  - Coordinated execution with conflict resolution
-
-- **Benchmark Suite**
-  - Performance measurement infrastructure
-  - Quality metrics tracking
-  - Comparative analysis tools
-
-### 📊 Metrics
-
-- **Sub-Agent Speedup**: 2.1x → 2.4x improvement
-- **Quality Scores**: 94.2% → 96.1% improvement
-- **Task Success Rate**: 95% across orchestrated workflows
-
-## [2.7.0] - 2025-11-10 - "Plan Mode Foundation"
-
-### ✅ Added
-
-- **Plan Mode Execution**
-  - Read-only planning phase
-  - Approval gates before execution
-  - Multi-strategy execution (Single, Orchestrated, Competition)
-
-- **Deep Research Integration**
-  - MCP-compatible research workflows
-  - Citation tracking and validation
-  - Privacy-preserving local research
-
-### 🔒 Security
-
-- Basic sandbox implementation
-- Process isolation groundwork
-- Audit logging foundation
-
-## [2.6.0] - 2025-10-25 - "MCP Integration & Research"
-
-### ✅ Added
-
-- **MCP (Model Context Protocol) Support**
-  - Standardized AI agent communication
-  - Extensible tool integration
-  - Cross-platform compatibility
-
-- **Research Capabilities**
-  - Web search integration
-  - Citation management
-  - Source validation
-
-## [2.5.0] - 2025-10-08 - "Multi-Agent Architecture"
-
-### ✅ Added
-
-- **Agent Orchestration System**
-  - Multiple specialized AI agents
-  - Task delegation and coordination
-  - Performance monitoring
-
-- **Git Analysis Tools**
-  - Repository-level insights
-  - Timeline visualization
-  - Commit pattern analysis
-
-## [2.0.0] - 2025-09-15 - "OpenAI Codex Extension"
-
-### ✅ Added
-
-- **Core CLI Extension**
-  - Plan execution workflows
-  - Sub-agent delegation
-  - Research integration
-
-- **Documentation Framework**
-  - Comprehensive guides
-  - Example projects
-  - Performance benchmarks
-
-### 🔄 Changed
-
-- Complete architecture redesign for multi-agent support
-- Enhanced security model with sandboxing
-
-## [1.5.0] - 2025-08-20 - "Research & Documentation"
-
-### ✅ Added
-
-- **Research Workflows**
-  - Automated literature review
-  - Citation management
-  - Knowledge synthesis
-
-- **Documentation System**
-  - API documentation generation
-  - Interactive tutorials
-  - Performance guides
-
-## [1.0.0] - 2025-07-10 - "Initial Release"
-
-### ✅ Added
-
-- **Basic CLI Functionality**
-  - Command-line interface
-  - Basic AI agent integration
-  - Simple task execution
-
-- **Core Features**
-  - Code generation and analysis
-  - Basic project management
-  - Configuration system
-
-### 📈 Initial Metrics
-
-- **User Adoption**: 500+ installations
-- **Feature Completeness**: 75%
-- **Stability**: Beta level
-
----
-
-## 📊 Development Velocity
-
-| Period  | Commits | Features | Bug Fixes | Documentation |
-| ------- | ------- | -------- | --------- | ------------- |
-| Q4 2025 | 450     | 28       | 89        | 156           |
-| Q3 2025 | 380     | 22       | 67        | 123           |
-| Q2 2025 | 290     | 18       | 45        | 98            |
-| Q1 2025 | 210     | 15       | 32        | 76            |
-
-## 🎯 Roadmap Alignment
-
-- ✅ **Interview Readiness** (v2.8.3)
-- 🔄 **Enterprise Integration** (v2.9.0 - Planned)
-- 🔄 **Cloud Deployment** (v3.0.0 - Planned)
-- 🔄 **Multi-Platform GUI** (v3.1.0 - Planned)
-
-## 🤝 Contributing
-
-This changelog demonstrates **consistent development velocity** and **production-quality engineering practices**. Each release includes:
+- Adopted **root `VERSION`** as the single canonical version source for release-visible artifacts.
+- Added a machine-readable version metadata file with `fork_version` and `upstream_base` for fork/upstream conflict resolution.
+- Added generated sync automation for root/package manifests, workspace Cargo version, README display version, release notes, and changelog headers.
 
-- **Performance Benchmarks** with measurable improvements
-- **Security Hardening** with audit trails
-- **Quality Assurance** with comprehensive testing
-- **Documentation** with real-world examples
+### Docs
 
-**Interview Evidence**: This changelog proves 18 months of continuous development with measurable quality improvements and enterprise-grade security implementation.
+- Split legacy **v2.x** history from the current **v3.x** release line.
+- Marked the root release notes and changelog as the current release documents.
+- Standardized the displayed release version across README badges and package metadata.
 
----
+## Historical Release Lines
 
-**Built with ❤️ by [@zapabob](https://github.com/zapabob)**
+- **v2.x archive**: `releases/legacy/v2.x/CHANGELOG.md`
+- **Legacy release notes**: `releases/legacy/v2.x/RELEASE_NOTES.md`
diff --git a/README.md b/README.md
index 0f5cf1045db..bfe1668d64d 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,11 @@
 
 </div>
 
+<!-- version-sync:start -->
+> **Current release:** v3.0.0 (2026-03-19) · canonical source `VERSION` · fork/upstream mapping in `version-metadata.json`.
+> Legacy v2.x release notes are archived under `releases/legacy/v2.x/RELEASE_NOTES.md`.
+<!-- version-sync:end -->
+
 ---
 
 ## 🇺🇸 English
diff --git a/package.json b/package.json
index e4b5af248df..d065ed67e49 100644
--- a/package.json
+++ b/package.json
@@ -9,8 +9,8 @@
     "audit": "pnpm audit --level=high",
     "security:check": "pnpm exec npm audit --audit-level=high || true",
     "deps:update": "pnpm up --latest",
-    "type-check": "node ./scripts/run-type-check.mjs",
-    "type-check:versions": "node ./scripts/check-workspace-versions.mjs"
+    "version:sync": "node scripts/sync-version.mjs",
+    "version:check": "node scripts/sync-version.mjs --check"
   },
   "devDependencies": {
     "prettier": "^3.5.3",
diff --git a/releases/RELEASE_NOTES.md b/releases/RELEASE_NOTES.md
index 68c0df73a5b..c544f4640a7 100644
--- a/releases/RELEASE_NOTES.md
+++ b/releases/RELEASE_NOTES.md
@@ -1,33 +1,35 @@
-# v3.0.1 Release Notes
+# Codex v3.0.0 Release Notes
 
-## Highlights
+> **Current release document** for the v3.0.0 line.
+> Legacy v2.x release notes are archived at `releases/legacy/v2.x/RELEASE_NOTES.md`.
 
-This release standardizes how the fork tracks and imports changes from `openai/codex`.
+## Canonical Versioning
 
-- `origin` is canonically defined as `https://github.com/zapabob/codex.git`.
-- `upstream` is canonically defined as `https://github.com/openai/codex.git`.
-- The tracked upstream branch is fixed to `upstream/main`.
-- The tracked upstream release tag conventions are fixed to `rust-v*` (primary) and `v*` (secondary compatibility).
-- The repository now keeps a machine-readable upstream intake record in `releases/upstream-sync.json`.
-- The reproducible sync entrypoint is `scripts/sync-upstream.sh` or `just sync-upstream`.
+- **Canonical source**: root `VERSION`
+- **Fork version**: `3.0.0`
+- **Upstream base**: `3.0.0`
+- **Release date**: 2026-03-19
 
-## Upstream Intake Record
+## What changed in v3.0.0
 
-| Field | Value |
-| --- | --- |
-| `source.repository` | `https://github.com/openai/codex.git` |
-| `source.branch` | `main` |
-| `source.commit` | `668330acc12b8907ecd82bc15148e0a627246783` |
-| `source.tag` | `null` |
-| `recorded_at` | `2026-03-19T20:08:57Z` |
+### Version governance
 
-## Conflict Policy Summary
+- Root `VERSION` is now the single source of truth for release-visible versioning.
+- `version-metadata.json` defines `fork_version` and `upstream_base` so tooling can distinguish fork releases from upstream alignment.
+- `scripts/sync-version.mjs` regenerates synced version displays and validates drift with `--check`.
 
-When upstream and custom code overlap, the repository now uses a documented policy:
+### Repository docs and manifests
 
-1. Adopt the official implementation when feature parity is sufficient.
-2. Re-inject only the demonstrated custom advantage in a follow-up commit.
-3. Preserve clearly custom-only areas until an official equivalent exists.
-4. Keep the provenance record updated whenever upstream is imported.
+- Synced the root `package.json`, Rust workspace version, and `packages/protocol-client/package.json` to v3.0.0.
+- Rebuilt the root changelog and release notes as **current release** documents for the v3.x line.
+- Archived the older v2.x release notes so the latest release is unambiguous.
 
-See `docs/repository-relationship.md` for the full policy and path-specific rules.
+## Sync procedure
+
+```bash
+# 1) edit VERSION (and version-metadata.json upstream_base if needed)
+node scripts/sync-version.mjs
+
+# 2) verify no drift remains
+node scripts/sync-version.mjs --check
+```
diff --git a/releases/legacy/v2.x/CHANGELOG.md b/releases/legacy/v2.x/CHANGELOG.md
new file mode 100644
index 00000000000..3e6afbbf143
--- /dev/null
+++ b/releases/legacy/v2.x/CHANGELOG.md
@@ -0,0 +1,225 @@
+# Changelog Archive — v2.x Release Line
+
+This archive preserves the pre-v3 changelog entries that were previously published from the repository root.
+For the current release line, see [`../../../CHANGELOG.md`](../../../CHANGELOG.md).
+
+---
+
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [2.17.0] - 2026-02-20 - "Upstream Sync & API Refinements"
+
+### 🚀 Major Features
+
+**This release merges the latest upstream commits from openai/codex, incorporating new API changes, bug fixes, and security updates while preserving all custom zapabob extensions.**
+
+### ✨ Added (from upstream)
+
+- **MCP OAuth Support** - Enhanced MCP server authentication with OAuth flow
+- **Permissions Proxy** - New permissions proxy layer for fine-grained access control
+- **Auth Plan Support** - Session info now includes auth plan for better UX
+- **AnimationEnabled API Change** - Frame scheduler replaces direct animations_enabled flag
+- **Apps Tools Cache Context** - New cache context parameter for MCP client initialization
+- **Model Catalog Integration** - ModelsManager and ThreadManager now accept optional model catalog
+
+### 🔒 Security (from upstream)
+
+- **CVE-2026-24842** - Addressed identified security vulnerability
+- Dependency updates across Node.js ecosystem (pnpm audit fixes)
+
+### 🔧 Fixed
+
+- `find_model_info_for_slug` renamed to `model_info_from_slug` (API alignment)
+- `CancelErr` struct pattern matching updated (was enum variant, now struct)
+- `ToolRouter::from_config` app_tools parameter added
+- `UnifiedExecProcessDetails` now includes `recent_chunks` field
+- `spinner()` function signature simplified (removed `animations_enabled` parameter)
+- History cell module structure aligned with upstream flat layout
+
+### 🛠️ Custom Features Preserved (zapabob)
+
+- Deep Research multi-source module (`codex-rs/deep-research/`)
+- Supervisor agent lifecycle management (`codex-rs/supervisor/`)
+- Remote image URLs support in UserMessage
+- Git4D feature gates maintained
+- Web search call animations support
+
+---
+
+## [2.16.0] - 2026-02-13 - "Upstream Sync & Security Hardening"
+
+### 🚀 Major Features
+
+**This release merges 226 upstream commits from openai/codex, incorporating the latest security fixes, bug fixes, and new features while preserving all custom zapabob extensions.**
+
+### ✅ Added (from upstream)
+
+- **Apps MCP Gateway** (`apps_mcp_gateway`) - New gateway for apps integration
+- **Shell Tool MCP** - Patched zsh build pipeline for improved shell execution
+- **Thread/List CWD** - Added `cwd` as optional field to thread/list API
+- **Feature Flags Testing** - Verify enabled-by-default feature flags are stable
+- **TurnContextItem Persistence** - Complete state persisted via canonical conversion
+- **Approvals Scenarios** - More comprehensive approval workflow testing
+
+### 🔒 Security (from upstream)
+
+- **DNS Rebinding Fix** - Resolved DNS rebinding vulnerability in network proxy
+- **Sandbox Bypass Fix** - Fixed sandbox bypass vulnerability
+- **Exec Policy Path Confusion** - Resolved path confusion in exec policy
+- **Case-Insensitivity Vulnerability** - Fixed case-insensitive matching exploit
+- **Git Command Safety** - Removed git commands from dangerous command checks
+
+### 🐛 Fixed (from upstream)
+
+- **NUX Display** - Don't show NUX for upgrade-target models that are hidden
+- **App Loading Logic** - Fixed app loading sequence
+- **TUI Improvements** - Delta streaming, compaction events, approvals UI
+
+### 📦 Preserved Custom Features (zapabob)
+
+- `codex-gui-x/` - Custom GUI implementation
+- `prism-mcp-server/`, `prism-web/` - Prism MCP integrations
+- WebXR Git visualization with cyberpunk effects
+- AI tool orchestration (task distribution, result integration)
+- Bilingual README and GH Pages
+- Fast build system and hot reload installation
+- CI/CD customizations and release packaging
+
+### 🔧 Technical Details
+
+- **Merge Strategy**: `git merge upstream/main` with Python-automated conflict resolution
+- **Conflicts Resolved**: 51 files (0 failures)
+- **Upstream Commits Merged**: 226
+- **Files Changed**: 594 files (+41,384 / -11,057 lines)
+- **Module Restructuring**: `codex-rs/common/` merged into `codex-rs/utils/cli/`, hooks module restructured
+
+### 📈 Dependencies
+
+- pnpm 10.28.2, node >=22
+- Various Cargo dependency updates (axum, clap, tokio, etc.)
+
+---
+
+## [2.9.0] - 2026-01-04 - "Fast Build & Hot Reload System"
+
+### 🚀 Major Features
+
+**This release introduces a complete build and deployment pipeline overhaul with hot reload capabilities and integrated release packaging.**
+
+### ✅ Added
+
+- **Fast Incremental Build System (`scripts/fast_build.py`)**
+  - MD5 hash-based change detection for intelligent rebuilds
+  - Cargo incremental compilation optimization
+  - Parallel build processing with CPU core utilization
+  - tqdm-powered progress visualization
+  - Build cache persistence (`.build_cache.pkl`)
+
+- **Hot Reload Installation System (`scripts/build_and_install.py`)**
+  - Cross-platform process detection and termination (psutil)
+  - Atomic binary replacement with safety checks
+  - Platform-specific installation (Windows/macOS/Linux)
+  - Installation verification with version checking
+  - PowerShell integration for Windows deployment
+
+- **Integrated Release Packaging**
+  - GitHub Actions workflow for cross-platform tgz packages
+  - All-platform binaries in single downloadable archive
+  - Automated install script generation (`install.sh`)
+  - Comprehensive release documentation (`INSTALL.md`)
+  - Release notes with installation instructions
+
+- **Development Tools Enhancement**
+  - `just fast-build` - Quick incremental builds
+  - `just build-install` - Full pipeline execution
+  - `just install-kill` - Direct binary replacement
+  - Process-safe deployment with zero-downtime updates
+
+### 🎯 Performance Improvements
+
+- **Build Speed**: Up to 70% faster incremental builds with change detection
+- **Deployment Time**: Instant hot reload with process management
+- **Release Size**: Optimized binaries with integrated packaging
+- **Developer Experience**: One-command build and deploy workflow
+
+### 🔧 Technical Details
+
+- **Incremental Compilation**: Leverages Cargo's incremental features
+- **Process Management**: Safe termination with psutil cross-platform support
+- **Package Distribution**: Unified tgz format for all target platforms
+- **Cache Strategy**: Persistent build state with intelligent invalidation
+
+### 📦 Distribution
+
+- **Release Archive**: Single `codex-2.9.0.tgz` containing all platform binaries
+- **Installation**: `./install.sh` for automatic platform detection and setup
+- **Verification**: Built-in version checking and integrity validation
+
+## [2.8.3] - 2026-01-03 - "Build System Improvements & Repository Organization"
+
+### 🎯 Interview-Ready Release
+
+**This release transforms Codex from a personal project into enterprise-ready tooling with comprehensive documentation, benchmarks, and security hardening.**
+
+### ✅ Added
+
+- **Interview-Focused Documentation Suite**
+  - `docs/plan/README.md` - 5-minute Plan Mode quickstart guide
+  - `docs/benchmarks/` - Performance measurement methodology (Sub-agents: 2.6x speedup, CUDA: 3.7x speedup)
+  - `examples/` - Production-ready sample projects (Node.js API, React Todo App)
+  - `SECURITY.md` - Detailed sandbox architecture and audit logging
+
+- **Real-World Examples**
+  - `examples/node-api/` - REST API with Jest testing (96% quality score)
+  - `examples/react-todo/` - React + TypeScript app with localStorage persistence
+  - Sample projects demonstrate Codex's Plan Mode and Sub-agent orchestration
+
+- **Benchmark Infrastructure**
+  - Sub-agent performance measurement achieving 2.59x average speedup
+  - CUDA acceleration benchmarks with 3.74x GPU speedup
+  - Quality metrics: Type safety (100%), Code style (98.2%), Test coverage (96.7%)
+
+- **Security Hardening**
+  - Process isolation with read-only default sandbox
+  - Structured audit logging with HMAC signatures
+  - Approval gates for risky operations (shell, network, package install)
+
+### 🔧 Changed
+
+- **README.md** - Complete rewrite for interview-readiness
+  - Removed "production-ready" claims, replaced with "stable/experimental" status
+  - Added "Why Codex?" and "Safety model" sections
+  - Feature matrix now links to real documentation paths
+  - Status: CLI + Plan Mode + Sub-agents marked as **stable**
+
+- **Documentation Structure**
+  - Moved from scattered docs to organized structure
+  - Added proof links for all feature claims
+  - Included adoption-focused use cases
+
+### 🐛 Fixed
+
+- Build system compilation errors (22 fixed)
+- Type safety improvements throughout codebase
+- Repository organization (6,979 files systematically organized)
+
+### 📈 Performance
+
+- **Sub-agent Speedup**: 2.59x average across test cases
+- **CUDA Acceleration**: 3.74x speedup on RTX 3080
+- **Quality Maintenance**: 97.5% average quality score with parallel execution
+- **Build Performance**: sccache integration for faster incremental builds
+
+### 🔒 Security
+
+- Default sandbox: read-only mode
+- Explicit approval required for file writes, shell commands, network access
+- Comprehensive audit logging with tamper-evident signatures
+- Zero-day vulnerability count: 0 (v2.8.3)
+
+## [2.8.0] - 2025-12-15 - "CUDA Acceleration & Quality Assurance"
diff --git a/releases/legacy/v2.x/RELEASE_NOTES.md b/releases/legacy/v2.x/RELEASE_NOTES.md
new file mode 100644
index 00000000000..bd9fd318b7e
--- /dev/null
+++ b/releases/legacy/v2.x/RELEASE_NOTES.md
@@ -0,0 +1,38 @@
+# Release Notes Archive — v2.x Release Line
+
+This archive preserves the prior root release notes for the 2.x line.
+For the current release line, see [`../../RELEASE_NOTES.md`](../../RELEASE_NOTES.md).
+
+---
+
+# v2.13.0 Release Notes
+
+## 🌟 Highlights
+
+This release focuses on **GUI enhancements** and **System Integration**, bridging the gap between the web interface and the underlying specific command-line tools.
+
+- **GUI Dashboard with Real-Time Metrics**: Monitor CPU, RAM, and GPU usage in real-time via the new Node.js backend (`gui/server.js`).
+- **Collapsible Sidebar**: Improved screen real estate management with a new collapsible sidebar component.
+- **CLI Bridge**: Execute CLI commands directly from the GUI, enabling a seamless workflow between visual and terminal operations.
+- **SSR Fixes**: Resolved Next.js Server-Side Rendering issues for a smoother user experience.
+
+## 🇯🇵 日本語リリースノート
+
+本リリースでは、GUIの強化とシステム統合に焦点を当てています。
+
+- **リアルタイムメトリクス**: Node.jsバックエンドにより、CPU/メモリ/GPUの使用率をGUI上でリアルタイム監視可能になりました。
+- **サイドバー改善**: 折りたたみ可能なサイドバーを実装し、作業領域を広く使えるようになりました。
+- **CLI連携**: GUIから直接CLIコマンドを実行できるブリッジ機能を追加しました。
+- **SSR修正**: Next.jsのServer-Side Renderingに関する問題を修正し、安定性を向上させました。
+
+## 🛡️ Security
+
+- **Updated Dependencies**: Bumped `sysinfo`, `ws`, `cors` and other core dependencies.
+- **Pre-commit Checks**: Passed rigorous Clippy and Large File checks.
+
+## 📦 Changes
+
+- feat(gui): Implement collapsible sidebar, real metrics server, and CLI integration
+- fix(gui): Resolve window is not defined SSR error
+- chore: Update workspace versions to v2.13.0
+- doc: Rewrite README.md for better recruitment appeal (Bilingual)
diff --git a/scripts/bump-version.ps1 b/scripts/bump-version.ps1
index 3d79f943b5d..271a88ab61d 100644
--- a/scripts/bump-version.ps1
+++ b/scripts/bump-version.ps1
@@ -62,8 +62,6 @@ Set-Content -Path "VERSION" -Value $NewVersion -Encoding UTF8 -NoNewline
 Write-Host "✅ Version bumped: $CurrentVersion → $NewVersion" -ForegroundColor Green
 Write-Host ""
 Write-Host "次のステップ:" -ForegroundColor Cyan
-Write-Host "  1. CHANGELOG.md を更新" -ForegroundColor Yellow
-Write-Host "  2. codex-rs/Cargo.toml のバージョンを更新" -ForegroundColor Yellow
-Write-Host "  3. codex-cli/package.json のバージョンを更新" -ForegroundColor Yellow
-Write-Host "  4. git commit -m 'chore: bump version to $NewVersion'" -ForegroundColor Yellow
-
+Write-Host "  1. node scripts/sync-version.mjs を実行" -ForegroundColor Yellow
+Write-Host "  2. node scripts/sync-version.mjs --check で整合性確認" -ForegroundColor Yellow
+Write-Host "  3. git commit -m 'chore: bump version to $NewVersion'" -ForegroundColor Yellow
diff --git a/scripts/sync-version.mjs b/scripts/sync-version.mjs
new file mode 100755
index 00000000000..e960882a994
--- /dev/null
+++ b/scripts/sync-version.mjs
@@ -0,0 +1,168 @@
+#!/usr/bin/env node
+import fs from 'node:fs';
+import path from 'node:path';
+import process from 'node:process';
+
+const repoRoot = process.cwd();
+const isCheck = process.argv.includes('--check');
+const metadataPath = path.join(repoRoot, 'version-metadata.json');
+const versionPath = path.join(repoRoot, 'VERSION');
+
+function readText(relPath) {
+  return fs.readFileSync(path.join(repoRoot, relPath), 'utf8');
+}
+
+function writeText(relPath, content) {
+  fs.writeFileSync(path.join(repoRoot, relPath), content);
+}
+
+function readJson(relPath) {
+  return JSON.parse(readText(relPath));
+}
+
+function writeJson(relPath, value) {
+  writeText(relPath, `${JSON.stringify(value, null, 2)}\n`);
+}
+
+function updateFile(relPath, nextContent) {
+  const current = fs.existsSync(path.join(repoRoot, relPath)) ? readText(relPath) : null;
+  if (current === nextContent) {
+    return false;
+  }
+  if (isCheck) {
+    throw new Error(`${relPath} is out of sync`);
+  }
+  writeText(relPath, nextContent);
+  return true;
+}
+
+function replaceMatch(source, pattern, replacement, description) {
+  if (!pattern.test(source)) {
+    throw new Error(`Unable to update ${description}`);
+  }
+  pattern.lastIndex = 0;
+  return source.replace(pattern, replacement);
+}
+
+const metadata = readJson('version-metadata.json');
+if (metadata.canonical_source !== 'VERSION') {
+  throw new Error(`Unsupported canonical source: ${metadata.canonical_source}`);
+}
+
+const versionFromFile = fs.readFileSync(versionPath, 'utf8').trim();
+const canonicalVersion = versionFromFile;
+const releaseDate = metadata.release_date;
+
+if (metadata.fork_version !== canonicalVersion) {
+  if (isCheck) {
+    throw new Error(`version-metadata.json fork_version (${metadata.fork_version}) does not match VERSION (${canonicalVersion})`);
+  }
+  metadata.fork_version = canonicalVersion;
+  writeJson('version-metadata.json', metadata);
+}
+
+const filesUpdated = [];
+
+const rootPackage = readJson('package.json');
+rootPackage.version = canonicalVersion;
+if (!rootPackage.scripts['version:sync']) {
+  rootPackage.scripts['version:sync'] = 'node scripts/sync-version.mjs';
+}
+if (!rootPackage.scripts['version:check']) {
+  rootPackage.scripts['version:check'] = 'node scripts/sync-version.mjs --check';
+}
+if (JSON.stringify(rootPackage, null, 2) + '\n' !== readText('package.json')) {
+  if (isCheck) throw new Error('package.json is out of sync');
+  writeJson('package.json', rootPackage);
+  filesUpdated.push('package.json');
+}
+
+for (const relPath of metadata.sync_targets.package_json) {
+  const pkg = readJson(relPath);
+  if (pkg.version !== canonicalVersion) {
+    pkg.version = canonicalVersion;
+    if (isCheck) throw new Error(`${relPath} is out of sync`);
+    writeJson(relPath, pkg);
+    filesUpdated.push(relPath);
+  }
+}
+
+const cargoPath = metadata.sync_targets.cargo_workspace;
+const cargoToml = readText(cargoPath);
+const nextCargo = replaceMatch(
+  cargoToml,
+  /(\[workspace\.package\][\s\S]*?version = ")([^"]+)(")/,
+  `$1${canonicalVersion}$3`,
+  'workspace package version',
+);
+if (nextCargo !== cargoToml) {
+  if (isCheck) throw new Error(`${cargoPath} is out of sync`);
+  writeText(cargoPath, nextCargo);
+  filesUpdated.push(cargoPath);
+}
+
+const changelogArchive = metadata.sync_targets.archives.changelog;
+const releaseArchive = metadata.sync_targets.archives.release_notes;
+
+const changelog = `# Changelog\n\nCurrent canonical version: **v${canonicalVersion}**.\nCanonical source: \`VERSION\`. Fork/upstream disambiguation lives in \`version-metadata.json\`.\n\n## Current Release — v${canonicalVersion} (${releaseDate})\n\n> This root changelog is the **current release line only**.\n> Legacy v2.x history has been moved to \`${changelogArchive}\` to make the latest release immediately obvious.\n\n### Changed\n\n- Adopted **root \`VERSION\`** as the single canonical version source for release-visible artifacts.\n- Added a machine-readable version metadata file with \`fork_version\` and \`upstream_base\` for fork/upstream conflict resolution.\n- Added generated sync automation for root/package manifests, workspace Cargo version, README display version, release notes, and changelog headers.\n\n### Docs\n\n- Split legacy **v2.x** history from the current **v3.x** release line.\n- Marked the root release notes and changelog as the current release documents.\n- Standardized the displayed release version across README badges and package metadata.\n\n## Historical Release Lines\n\n- **v2.x archive**: \`${changelogArchive}\`\n- **Legacy release notes**: \`${releaseArchive}\`\n`;
+if (updateFile('CHANGELOG.md', changelog)) {
+  filesUpdated.push('CHANGELOG.md');
+}
+
+const releaseNotes = `# Codex v${canonicalVersion} Release Notes\n\n> **Current release document** for the v${canonicalVersion} line.\n> Legacy v2.x release notes are archived at \`${releaseArchive}\`.\n\n## Canonical Versioning\n\n- **Canonical source**: root \`VERSION\`\n- **Fork version**: \`${canonicalVersion}\`\n- **Upstream base**: \`${metadata.upstream_base}\`\n- **Release date**: ${releaseDate}\n\n## What changed in v${canonicalVersion}\n\n### Version governance\n\n- Root \`VERSION\` is now the single source of truth for release-visible versioning.\n- \`version-metadata.json\` defines \`fork_version\` and \`upstream_base\` so tooling can distinguish fork releases from upstream alignment.\n- \`scripts/sync-version.mjs\` regenerates synced version displays and validates drift with \`--check\`.\n\n### Repository docs and manifests\n\n- Synced the root \`package.json\`, Rust workspace version, and \`packages/protocol-client/package.json\` to v${canonicalVersion}.\n- Rebuilt the root changelog and release notes as **current release** documents for the v3.x line.\n- Archived the older v2.x release notes so the latest release is unambiguous.\n\n## Sync procedure\n\n\`\`\`bash\n# 1) edit VERSION (and version-metadata.json upstream_base if needed)\nnode scripts/sync-version.mjs\n\n# 2) verify no drift remains\nnode scripts/sync-version.mjs --check\n\`\`\`\n`;
+if (updateFile('releases/RELEASE_NOTES.md', releaseNotes)) {
+  filesUpdated.push('releases/RELEASE_NOTES.md');
+}
+
+let readme = readText('README.md');
+readme = replaceMatch(
+  readme,
+  /\[!\[Version\]\(https:\/\/img\.shields\.io\/badge\/version-v[^\]]+\]\(https:\/\/github\.com\/zapabob\/codex\/releases\/tag\/v[^)]+\)/,
+  `[![Version](https://img.shields.io/badge/version-v${canonicalVersion}-blue)](https://github.com/zapabob/codex/releases/tag/v${canonicalVersion})`,
+  'README version badge',
+);
+readme = replaceMatch(
+  readme,
+  /\| \*\*📡 New in v[^*]+\*\*\s+\|[^\n]+/,
+  `| **📡 New in v${canonicalVersion}**  | Protocol v2 update, improved sub-agent parallelization, linking speed++ |`,
+  'README feature matrix version row',
+);
+readme = replaceMatch(
+  readme,
+  /### What's New in v[^\n]+/,
+  `### What's New in v${canonicalVersion}`,
+  'README current release heading',
+);
+readme = replaceMatch(
+  readme,
+  /- \*\*New in v[^*]+\*\*: Protocol alignment with latest Model Context Protocol specs\./,
+  `- **New in v${canonicalVersion}**: Protocol alignment with latest Model Context Protocol specs.`,
+  'README MCP note',
+);
+const managedBlock = `<!-- version-sync:start -->\n> **Current release:** v${canonicalVersion} (${releaseDate}) · canonical source \`VERSION\` · fork/upstream mapping in \`version-metadata.json\`.\n> Legacy v2.x release notes are archived under \`${releaseArchive}\`.\n<!-- version-sync:end -->`;
+if (/<!-- version-sync:start -->[\s\S]*?<!-- version-sync:end -->/.test(readme)) {
+  readme = readme.replace(/<!-- version-sync:start -->[\s\S]*?<!-- version-sync:end -->/, managedBlock);
+} else {
+  readme = readme.replace('</div>\n\n---', `</div>\n\n${managedBlock}\n\n---`);
+}
+if (updateFile('README.md', readme)) {
+  filesUpdated.push('README.md');
+}
+
+let bumpScript = readText('scripts/bump-version.ps1');
+bumpScript = bumpScript.replace(
+  /Write-Host "  1\. CHANGELOG\.md を更新"[\s\S]*$/,
+  `Write-Host "  1. node scripts/sync-version.mjs を実行" -ForegroundColor Yellow\nWrite-Host "  2. node scripts/sync-version.mjs --check で整合性確認" -ForegroundColor Yellow\nWrite-Host "  3. git commit -m 'chore: bump version to ${'$'}NewVersion'" -ForegroundColor Yellow\n`,
+);
+if (updateFile('scripts/bump-version.ps1', bumpScript)) {
+  filesUpdated.push('scripts/bump-version.ps1');
+}
+
+if (filesUpdated.length === 0) {
+  console.log(`Version artifacts already synced at v${canonicalVersion}`);
+} else {
+  console.log(`Synced ${filesUpdated.length} files to v${canonicalVersion}`);
+  for (const file of filesUpdated) {
+    console.log(`- ${file}`);
+  }
+}
diff --git a/version-metadata.json b/version-metadata.json
new file mode 100644
index 00000000000..43635b711b0
--- /dev/null
+++ b/version-metadata.json
@@ -0,0 +1,26 @@
+{
+  "schema_version": 1,
+  "canonical_source": "VERSION",
+  "fork_version": "3.0.0",
+  "upstream_base": "3.0.0",
+  "release_date": "2026-03-19",
+  "current_release_line": "3.x",
+  "legacy_release_line": "2.x",
+  "sync_targets": {
+    "cargo_workspace": "codex-rs/Cargo.toml",
+    "package_json": [
+      "package.json",
+      "gui/package.json",
+      "packages/protocol-client/package.json"
+    ],
+    "docs": [
+      "README.md",
+      "CHANGELOG.md",
+      "releases/RELEASE_NOTES.md"
+    ],
+    "archives": {
+      "changelog": "releases/legacy/v2.x/CHANGELOG.md",
+      "release_notes": "releases/legacy/v2.x/RELEASE_NOTES.md"
+    }
+  }
+}