add --dangerously-bypass-hook-trust CLI flag (#21768)

# Why Hook trust happens through the TUI in `/hooks` so it can block non-interactive use cases. This flag will allow users that are using codex headlessly to bypass hooks when they want to. # What This adds one invocation-scoped escape hatch. - the CLI flag sets a runtime-only `bypass_hook_trust` override; there is no durable `config.toml` setting - hook discovery still respects normal enablement, so explicitly disabled hooks remain disabled - we show a `--dangerously-bypass-hook-trust is enabled. Enabled hooks may run without review for this invocation.` message on startup so accidental use is visible in both interactive and exec flows This keeps “enabled” and “trusted” as separate concepts in the normal path, while giving CI/E2E callers a stable way to opt into the exceptional path when they already control the hook set.
2026-06-01 19:02:59 +00:00 · 2026-05-13 03:13:57 -04:00
parent 934a40c7d9
commit 392e94e9ea
16 changed files with 252 additions and 16 deletions
--- a/codex-rs/utils/cli/src/shared_options.rs
+++ b/codex-rs/utils/cli/src/shared_options.rs
@@ -47,6 +47,11 @@ pub struct SharedCliOptions {
    )]
    pub dangerously_bypass_approvals_and_sandbox: bool,

+    /// Run enabled hooks without requiring persisted hook trust for this invocation.
+    /// DANGEROUS. Intended only for automation that already vets hook sources.
+    #[arg(long = "dangerously-bypass-hook-trust", default_value_t = false)]
+    pub bypass_hook_trust: bool,
+
    /// Tell the agent to use the specified directory as its working root.
    #[clap(long = "cd", short = 'C', value_name = "DIR")]
    pub cwd: Option<PathBuf>,
@@ -68,6 +73,7 @@ impl SharedCliOptions {
            config_profile,
            sandbox_mode,
            dangerously_bypass_approvals_and_sandbox,
+            bypass_hook_trust,
            cwd,
            add_dir,
        } = self;
@@ -79,6 +85,7 @@ impl SharedCliOptions {
            config_profile: root_config_profile,
            sandbox_mode: root_sandbox_mode,
            dangerously_bypass_approvals_and_sandbox: root_dangerously_bypass_approvals_and_sandbox,
+            bypass_hook_trust: root_bypass_hook_trust,
            cwd: root_cwd,
            add_dir: root_add_dir,
        } = root;
@@ -102,6 +109,9 @@ impl SharedCliOptions {
            *dangerously_bypass_approvals_and_sandbox =
                *root_dangerously_bypass_approvals_and_sandbox;
        }
+        if !*bypass_hook_trust {
+            *bypass_hook_trust = *root_bypass_hook_trust;
+        }
        if cwd.is_none() {
            cwd.clone_from(root_cwd);
        }
@@ -128,6 +138,7 @@ impl SharedCliOptions {
            config_profile,
            sandbox_mode,
            dangerously_bypass_approvals_and_sandbox,
+            bypass_hook_trust,
            cwd,
            add_dir,
        } = subcommand;
@@ -149,6 +160,9 @@ impl SharedCliOptions {
            self.dangerously_bypass_approvals_and_sandbox =
                dangerously_bypass_approvals_and_sandbox;
        }
+        if bypass_hook_trust {
+            self.bypass_hook_trust = true;
+        }
        if let Some(cwd) = cwd {
            self.cwd = Some(cwd);
        }