feat: add support for /etc/codex/requirements.toml on UNIX (#8277)

This implements the new config design where config _requirements_ are loaded separately (and with a special schema) as compared to config _settings_. In particular, on UNIX, with this PR, you could define `/etc/codex/requirements.toml` with: ```toml allowed_approval_policies = ["never", "on-request"] ``` to enforce that `Config.approval_policy` must be one of those two values when Codex runs. We plan to expand the set of things that can be restricted by `/etc/codex/requirements.toml` in short order. Note that requirements can come from several sources: - new MDM key on macOS (not implemented yet) - `/etc/codex/requirements.toml` - re-interpretation of legacy MDM key on macOS (`com.openai.codex/config_toml_base64`) - re-interpretation of legacy `/etc/codex/managed_config.toml` So our resolution strategy is to load TOML data from those sources, in order. Later TOMLs are "merged" into previous TOMLs, but any field that is already set cannot be overwritten. See `ConfigRequirementsToml::merge_unset_fields()`.
2026-04-25 23:24:55 +00:00 · 2025-12-18 13:36:55 -08:00
parent 4fb0b547d6
commit 2f048f2063
3 changed files with 186 additions and 16 deletions
--- a/codex-rs/core/src/config_loader/tests.rs
+++ b/codex-rs/core/src/config_loader/tests.rs
@@ -1,6 +1,11 @@
 use super::LoaderOverrides;
 use super::load_config_layers_state;
 use crate::config::CONFIG_TOML_FILE;
+use crate::config_loader::ConfigRequirements;
+use crate::config_loader::config_requirements::ConfigRequirementsToml;
+use crate::config_loader::load_requirements_toml;
+use codex_protocol::protocol::AskForApproval;
+use pretty_assertions::assert_eq;
 use tempfile::tempdir;
 use toml::Value as TomlValue;

@@ -147,3 +152,40 @@ flag = true
    );
    assert_eq!(nested.get("flag"), Some(&TomlValue::Boolean(false)));
 }
+
+#[tokio::test(flavor = "current_thread")]
+async fn load_requirements_toml_produces_expected_constraints() -> anyhow::Result<()> {
+    let tmp = tempdir()?;
+    let requirements_file = tmp.path().join("requirements.toml");
+    tokio::fs::write(
+        &requirements_file,
+        r#"
+allowed_approval_policies = ["never", "on-request"]
+"#,
+    )
+    .await?;
+
+    let mut config_requirements_toml = ConfigRequirementsToml::default();
+    load_requirements_toml(&mut config_requirements_toml, &requirements_file).await?;
+
+    assert_eq!(
+        config_requirements_toml.allowed_approval_policies,
+        Some(vec![AskForApproval::Never, AskForApproval::OnRequest])
+    );
+
+    let config_requirements: ConfigRequirements = config_requirements_toml.try_into()?;
+    assert_eq!(
+        config_requirements.approval_policy.value(),
+        AskForApproval::OnRequest
+    );
+    config_requirements
+        .approval_policy
+        .can_set(&AskForApproval::Never)?;
+    assert!(
+        config_requirements
+            .approval_policy
+            .can_set(&AskForApproval::OnFailure)
+            .is_err()
+    );
+    Ok(())
+}