fix: Revert danger-full-access denylist-only mode (#17732)

## Summary - Reverts openai/codex#16946 and removes the danger-full-access denylist-only network mode. - Removes the corresponding config requirements, app-server protocol/schema, config API, TUI debug output, and network proxy behavior. - Drops stale tests that depended on the reverted mode while preserving newer managed allowlist-only coverage. ## Verification - `just write-app-server-schema` - `just fmt` - `cargo test -p codex-config network_requirements` - `cargo test -p codex-core network_proxy_spec` - `cargo test -p codex-core managed_network_proxy_decider_survives_full_access_start` - `cargo test -p codex-app-server map_requirements_toml_to_api` - `cargo test -p codex-tui debug_config_output` - `cargo test -p codex-app-server-protocol` - `just fix -p codex-config -p codex-core -p codex-app-server-protocol -p codex-app-server -p codex-tui` - `git diff --cached --check` Not run: full workspace `cargo test` (repo instructions ask for confirmation before that broader run).
2026-04-30 09:26:44 +00:00 · 2026-04-14 09:50:14 -07:00
parent b3ae531b3a
commit 81c0bcc921
17 changed files with 60 additions and 384 deletions
--- a/codex-rs/app-server-protocol/src/protocol/v2.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2.rs
@@ -899,7 +899,6 @@ pub struct NetworkRequirements {
    /// Legacy compatibility view derived from `unix_sockets`.
    pub allow_unix_sockets: Option<Vec<String>>,
    pub allow_local_binding: Option<bool>,
-    pub danger_full_access_denylist_only: Option<bool>,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, TS)]
@@ -8103,7 +8102,6 @@ mod tests {
                dangerously_allow_all_unix_sockets: None,
                domains: None,
                managed_allowed_domains_only: None,
-                danger_full_access_denylist_only: None,
                allowed_domains: Some(vec!["api.openai.com".to_string()]),
                denied_domains: Some(vec!["blocked.example.com".to_string()]),
                unix_sockets: None,
@@ -8130,7 +8128,6 @@ mod tests {
                ),
            ])),
            managed_allowed_domains_only: Some(true),
-            danger_full_access_denylist_only: Some(true),
            allowed_domains: Some(vec!["api.openai.com".to_string()]),
            denied_domains: Some(vec!["blocked.example.com".to_string()]),
            unix_sockets: Some(BTreeMap::from([
@@ -8161,7 +8158,6 @@ mod tests {
                    "blocked.example.com": "deny"
                },
                "managedAllowedDomainsOnly": true,
-                "dangerFullAccessDenylistOnly": true,
                "allowedDomains": ["api.openai.com"],
                "deniedDomains": ["blocked.example.com"],
                "unixSockets": {