fix: make $PWD/.agents read-only like $PWD/.codex (#10524)

In light of https://github.com/openai/codex/pull/10317, because `.agents` can include resources that Codex can run in a privileged way, it should be read-only by default just as `.codex` is.
2026-04-24 22:54:54 +00:00 · 2026-02-03 11:26:34 -08:00
parent c38a5958d7
commit 9a487f9c18
1 changed files with 11 additions and 6 deletions
--- a/codex-rs/protocol/src/protocol.rs
+++ b/codex-rs/protocol/src/protocol.rs
@@ -589,13 +589,18 @@ impl SandboxPolicy {
                            }
                            subpaths.push(top_level_git);
                        }
-                        #[allow(clippy::expect_used)]
-                        let top_level_codex = writable_root
-                            .join(".codex")
-                            .expect(".codex is a valid relative path");
-                        if top_level_codex.as_path().is_dir() {
-                            subpaths.push(top_level_codex);
+
+                        // Make .agents/skills and .codex/config.toml and
+                        // related files read-only to the agent, by default.
+                        for subdir in &[".agents", ".codex"] {
+                            #[allow(clippy::expect_used)]
+                            let top_level_codex =
+                                writable_root.join(subdir).expect("valid relative path");
+                            if top_level_codex.as_path().is_dir() {
+                                subpaths.push(top_level_codex);
+                            }
                        }
+
                        WritableRoot {
                            root: writable_root,
                            read_only_subpaths: subpaths,