clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-04 11:26:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add remote_sandbox_config to our config requirements (#18763)

Browse Source 
## Why

Customers need finer-grained control over allowed sandbox modes based on
the host Codex is running on. For example, they may want stricter
sandbox limits on devboxes while keeping a different default elsewhere.

Our current cloud requirements can target user/account groups, but they
cannot vary sandbox requirements by host. That makes remote development
environments awkward because the same top-level `allowed_sandbox_modes`
has to apply everywhere.

## What

Adds a new `remote_sandbox_config` section to `requirements.toml`:

```toml
allowed_sandbox_modes = ["read-only"]

[[remote_sandbox_config]]
hostname_patterns = ["*.org"]
allowed_sandbox_modes = ["read-only", "workspace-write"]

[[remote_sandbox_config]]
hostname_patterns = ["*.sh", "runner-*.ci"]
allowed_sandbox_modes = ["read-only", "danger-full-access"]
```

During requirements resolution, Codex resolves the local host name once,
preferring the machine FQDN when available and falling back to the
cleaned kernel hostname. This host classification is best effort rather
than authenticated device proof.

Each requirements source applies its first matching
`remote_sandbox_config` entry before it is merged with other sources.
The shared merge helper keeps that `apply_remote_sandbox_config` step
paired with requirements merging so new requirements sources do not have
to remember the extra call.

That preserves source precedence: a lower-precedence requirements file
with a matching `remote_sandbox_config` cannot override a
higher-precedence source that already set `allowed_sandbox_modes`.

This also wires the hostname-aware resolution through app-server,
CLI/TUI config loading, config API reads, and config layer metadata so
they all evaluate remote sandbox requirements consistently.

## Verification

- `cargo test -p codex-config remote_sandbox_config`
- `cargo test -p codex-config host_name`
- `cargo test -p codex-core
load_config_layers_applies_matching_remote_sandbox_config`
- `cargo test -p codex-core
system_remote_sandbox_config_keeps_cloud_sandbox_modes`
- `cargo test -p codex-config`
- `cargo test -p codex-core` unit tests passed; `tests/all.rs`
integration matrix was intentionally stopped after the relevant focused
tests passed
- `just fix -p codex-config`
- `just fix -p codex-core`
- `cargo check -p codex-app-server`
This commit is contained in:
Abhinav
2026-04-20 22:05:02 -07:00
committed by GitHub
parent 86535c9901
commit ab26554a3a
21 changed files with 598 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

208
codex-rs/config/src/config_requirements.rs
View File

@@ -11,6 +11,7 @@ use serde::de::value::Error as ValueDeserializerError;
use serde::de::value::StrDeserializer;
use std::collections::BTreeMap;
use std::fmt;
use wildmatch::WildMatchPattern;
use super::requirements_exec_policy::RequirementsExecPolicy;
use super::requirements_exec_policy::RequirementsExecPolicyToml;
@@ -620,6 +621,7 @@ pub struct ConfigRequirementsToml {
pub allowed_approval_policies: Option<Vec<AskForApproval>>,
pub allowed_approvals_reviewers: Option<Vec<ApprovalsReviewer>>,
pub allowed_sandbox_modes: Option<Vec<SandboxModeRequirement>>,
pub remote_sandbox_config: Option<Vec<RemoteSandboxConfigToml>>,
pub allowed_web_search_modes: Option<Vec<WebSearchModeRequirement>>,
#[serde(rename = "features", alias = "feature_requirements")]
pub feature_requirements: Option<FeatureRequirementsToml>,
@@ -633,6 +635,12 @@ pub struct ConfigRequirementsToml {
pub guardian_policy_config: Option<String>,
}
#[derive(Deserialize, Debug, Clone, PartialEq)]
pub struct RemoteSandboxConfigToml {
pub hostname_patterns: Vec<String>,
pub allowed_sandbox_modes: Vec<SandboxModeRequirement>,
}
/// Value paired with the requirement source it came from, for better error
/// messages.
#[derive(Debug, Clone, PartialEq)]
@@ -693,6 +701,7 @@ impl ConfigRequirementsWithSources {
allowed_approval_policies: _,
allowed_approvals_reviewers: _,
allowed_sandbox_modes: _,
remote_sandbox_config: _,
allowed_web_search_modes: _,
feature_requirements: _,
mcp_servers: _,
@@ -759,6 +768,7 @@ impl ConfigRequirementsWithSources {
allowed_approval_policies: allowed_approval_policies.map(|sourced| sourced.value),
allowed_approvals_reviewers: allowed_approvals_reviewers.map(|sourced| sourced.value),
allowed_sandbox_modes: allowed_sandbox_modes.map(|sourced| sourced.value),
remote_sandbox_config: None,
allowed_web_search_modes: allowed_web_search_modes.map(|sourced| sourced.value),
feature_requirements: feature_requirements.map(|sourced| sourced.value),
mcp_servers: mcp_servers.map(|sourced| sourced.value),
@@ -772,6 +782,19 @@ impl ConfigRequirementsWithSources {
}
}
fn normalize_hostname(hostname: &str) -> Option<String> {
let hostname = hostname.trim().trim_end_matches('.');
(!hostname.is_empty()).then(|| hostname.to_ascii_lowercase())
}
fn hostname_matches_any_pattern(hostname: &str, patterns: &[String]) -> bool {
patterns.iter().any(|pattern| {
normalize_hostname(pattern)
.map(|pattern| WildMatchPattern::<'*', '?'>::new_case_insensitive(&pattern))
.is_some_and(|pattern| pattern.matches(hostname))
})
}
/// Currently, `external-sandbox` is not supported in config.toml, but it is
/// supported through programmatic use.
#[derive(Deserialize, Debug, Clone, Copy, PartialEq)]
@@ -806,10 +829,27 @@ pub enum ResidencyRequirement {
}
impl ConfigRequirementsToml {
pub fn apply_remote_sandbox_config(&mut self, hostname: Option<&str>) {
let Some(hostname) = hostname.and_then(normalize_hostname) else {
return;
};
let Some(remote_sandbox_config) = self.remote_sandbox_config.as_ref() else {
return;
};
let Some(matched_config) = remote_sandbox_config
.iter()
.find(|config| hostname_matches_any_pattern(&hostname, &config.hostname_patterns))
else {
return;
};
self.allowed_sandbox_modes = Some(matched_config.allowed_sandbox_modes.clone());
}
pub fn is_empty(&self) -> bool {
self.allowed_approval_policies.is_none()
&& self.allowed_approvals_reviewers.is_none()
&& self.allowed_sandbox_modes.is_none()
&& self.remote_sandbox_config.is_none()
&& self.allowed_web_search_modes.is_none()
&& self
.feature_requirements
@@ -1099,6 +1139,7 @@ mod tests {
allowed_approval_policies,
allowed_approvals_reviewers,
allowed_sandbox_modes,
remote_sandbox_config: _,
allowed_web_search_modes,
feature_requirements,
mcp_servers,
@@ -1161,6 +1202,7 @@ mod tests {
allowed_approval_policies: Some(allowed_approval_policies.clone()),
allowed_approvals_reviewers: Some(allowed_approvals_reviewers.clone()),
allowed_sandbox_modes: Some(allowed_sandbox_modes.clone()),
remote_sandbox_config: None,
allowed_web_search_modes: Some(allowed_web_search_modes.clone()),
feature_requirements: Some(feature_requirements.clone()),
mcp_servers: None,
@@ -1883,6 +1925,172 @@ allowed_approvals_reviewers = ["user"]
Ok(())
}
#[test]
fn deserialize_remote_sandbox_config_requires_hostname_patterns_list() -> Result<()> {
let toml_str = r#"
[[remote_sandbox_config]]
hostname_patterns = ["*.org", "runner-??.ci"]
allowed_sandbox_modes = ["read-only", "workspace-write"]
"#;
let config: ConfigRequirementsToml = from_str(toml_str)?;
assert_eq!(
config.remote_sandbox_config,
Some(vec![RemoteSandboxConfigToml {
hostname_patterns: vec!["*.org".to_string(), "runner-??.ci".to_string()],
allowed_sandbox_modes: vec![
SandboxModeRequirement::ReadOnly,
SandboxModeRequirement::WorkspaceWrite,
],
}])
);
let err = from_str::<ConfigRequirementsToml>(
r#"
[[remote_sandbox_config]]
hostname_patterns = "*.org"
allowed_sandbox_modes = ["read-only"]
"#,
)
.expect_err("hostname_patterns should be list-only");
assert!(
err.to_string().contains("invalid type: string"),
"unexpected error: {err}"
);
Ok(())
}
#[test]
fn remote_sandbox_config_first_match_overrides_top_level() -> Result<()> {
let source = RequirementSource::CloudRequirements;
let mut requirements_toml: ConfigRequirementsToml = from_str(
r#"
allowed_sandbox_modes = ["read-only"]
[[remote_sandbox_config]]
hostname_patterns = ["build-*.example.com"]
allowed_sandbox_modes = ["read-only", "workspace-write"]
[[remote_sandbox_config]]
hostname_patterns = ["build-01.example.com"]
allowed_sandbox_modes = ["read-only", "danger-full-access"]
"#,
)?;
requirements_toml.apply_remote_sandbox_config(Some("BUILD-01.EXAMPLE.COM."));
let mut requirements_with_sources = ConfigRequirementsWithSources::default();
requirements_with_sources.merge_unset_fields(source.clone(), requirements_toml);
assert_eq!(
requirements_with_sources
.allowed_sandbox_modes
.as_ref()
.map(|sourced| sourced.value.clone()),
Some(vec![
SandboxModeRequirement::ReadOnly,
SandboxModeRequirement::WorkspaceWrite,
])
);
let requirements = ConfigRequirements::try_from(requirements_with_sources)?;
let root = if cfg!(windows) { "C:\\repo" } else { "/repo" };
assert!(
requirements
.sandbox_policy
.can_set(&SandboxPolicy::WorkspaceWrite {
writable_roots: vec![AbsolutePathBuf::from_absolute_path(root)?],
read_only_access: Default::default(),
network_access: false,
exclude_tmpdir_env_var: false,
exclude_slash_tmp: false,
})
.is_ok()
);
assert_eq!(
requirements
.sandbox_policy
.can_set(&SandboxPolicy::DangerFullAccess),
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: "DangerFullAccess".into(),
allowed: "[ReadOnly, WorkspaceWrite]".into(),
requirement_source: source,
})
);
Ok(())
}
#[test]
fn remote_sandbox_config_non_match_preserves_top_level() -> Result<()> {
let mut requirements_toml: ConfigRequirementsToml = from_str(
r#"
allowed_sandbox_modes = ["read-only"]
[[remote_sandbox_config]]
hostname_patterns = ["build-*.example.com"]
allowed_sandbox_modes = ["read-only", "workspace-write"]
"#,
)?;
requirements_toml.apply_remote_sandbox_config(Some("laptop.example.com"));
let mut requirements_with_sources = ConfigRequirementsWithSources::default();
requirements_with_sources.merge_unset_fields(RequirementSource::Unknown, requirements_toml);
let requirements = ConfigRequirements::try_from(requirements_with_sources)?;
assert_eq!(
requirements
.sandbox_policy
.can_set(&SandboxPolicy::DangerFullAccess),
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: "DangerFullAccess".into(),
allowed: "[ReadOnly]".into(),
requirement_source: RequirementSource::Unknown,
})
);
Ok(())
}
#[test]
fn remote_sandbox_config_does_not_override_higher_precedence_sandbox_modes() -> Result<()> {
let high_source = RequirementSource::CloudRequirements;
let mut high_precedence: ConfigRequirementsToml = from_str(
r#"
allowed_sandbox_modes = ["read-only"]
"#,
)?;
high_precedence.apply_remote_sandbox_config(Some("runner-01.ci.example.com"));
let mut low_precedence: ConfigRequirementsToml = from_str(
r#"
[[remote_sandbox_config]]
hostname_patterns = ["runner-*.ci.example.com"]
allowed_sandbox_modes = ["read-only", "workspace-write"]
"#,
)?;
low_precedence.apply_remote_sandbox_config(Some("runner-01.ci.example.com"));
let mut requirements_with_sources = ConfigRequirementsWithSources::default();
requirements_with_sources.merge_unset_fields(high_source.clone(), high_precedence);
requirements_with_sources.merge_unset_fields(RequirementSource::Unknown, low_precedence);
let requirements = ConfigRequirements::try_from(requirements_with_sources)?;
assert_eq!(
requirements
.sandbox_policy
.can_set(&SandboxPolicy::new_workspace_write_policy()),
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: "WorkspaceWrite".into(),
allowed: "[ReadOnly]".into(),
requirement_source: high_source,
})
);
Ok(())
}
#[test]
fn deserialize_allowed_web_search_modes() -> Result<()> {
let toml_str = r#"