clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-01 18:06:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

POC - Configurable ReadAcess in WorkspaceWrite SandboxPolicy

Browse Source
This commit is contained in:
Leo Shimonaka
2026-02-11 10:47:26 -08:00
parent d74fa8edd1
commit 04df7970fc
49 changed files with 1654 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
codex-rs/app-server/README.md
View File

@@ -288,7 +288,11 @@ You can optionally specify config overrides on the new turn. If specified, these
"sandboxPolicy": {
"type": "workspaceWrite",
"writableRoots": ["/Users/me/project"],
"networkAccess": true
"networkAccess": true,
"readAccess": {
"type": "restrictedReadAccess",
"readableRoots": ["/Users/me/project", "/Users/me/project/.cache"]
}
},
"model": "gpt-5.1-codex",
"effort": "medium",
@@ -468,7 +472,7 @@ Run a standalone command (argv vector) in the servers sandbox without creatin
Notes:
- Empty `command` arrays are rejected.
- `sandboxPolicy` accepts the same shape used by `turn/start` (e.g., `dangerFullAccess`, `readOnly`, `workspaceWrite` with flags, `externalSandbox` with `networkAccess` `restricted|enabled`).
- `sandboxPolicy` accepts the same shape used by `turn/start` (e.g., `dangerFullAccess`, `readOnly`, `workspaceWrite` with flags including optional `readAccess`, `externalSandbox` with `networkAccess` `restricted|enabled`).
- When omitted, `timeoutMs` falls back to the server default.
## Events