chore(core) Deprecate approval_policy: on-failure (#11631)

## Summary In an effort to start simplifying our sandbox setup, we're announcing this approval_policy as deprecated. In general, it performs worse than `on-request`, and we're focusing on making fewer sandbox configurations perform much better. ## Testing - [x] Tested locally - [x] Existing tests pass
2026-04-26 07:35:29 +00:00 · 2026-02-12 13:23:30 -08:00
parent 5c3ca73914
commit 4668feb43a
18 changed files with 31 additions and 20 deletions
--- a/codex-rs/protocol/src/protocol.rs
+++ b/codex-rs/protocol/src/protocol.rs
@@ -356,10 +356,12 @@ pub enum AskForApproval {
    #[strum(serialize = "untrusted")]
    UnlessTrusted,

-    /// *All* commands are auto‑approved, but they are expected to run inside a
-    /// sandbox where network access is disabled and writes are confined to a
-    /// specific set of paths. If the command fails, it will be escalated to
-    /// the user to approve execution without a sandbox.
+    /// DEPRECATED: *All* commands are auto‑approved, but they are expected to
+    /// run inside a sandbox where network access is disabled and writes are
+    /// confined to a specific set of paths. If the command fails, it will be
+    /// escalated to the user to approve execution without a sandbox.
+    /// Prefer `OnRequest` for interactive runs or `Never` for non-interactive
+    /// runs.
    OnFailure,

    /// The model decides when to ask the user for approval.