feat(core): persist network approvals in execpolicy (#12357)

## Summary Persist network approval allow/deny decisions as `network_rule(...)` entries in execpolicy (not proxy config) It adds `network_rule` parsing + append support in `codex-execpolicy`, including `decision="prompt"` (parse-only; not compiled into proxy allow/deny lists) - compile execpolicy network rules into proxy allow/deny lists and update the live proxy state on approval - preserve requirements execpolicy `network_rule(...)` entries when merging with file-based execpolicy - reject broad wildcard hosts (for example `*`) for persisted `network_rule(...)`
2026-04-25 07:05:38 +00:00 · 2026-02-23 21:37:46 -08:00
parent af215eb390
commit c3048ff90a
31 changed files with 1617 additions and 13 deletions
--- a/codex-rs/app-server-protocol/schema/json/EventMsg.json
+++ b/codex-rs/app-server-protocol/schema/json/EventMsg.json
@@ -1662,6 +1662,16 @@
                "null"
              ]
            },
+            "proposed_network_policy_amendments": {
+              "description": "Proposed network policy amendments (for example allow/deny this host in future).",
+              "items": {
+                "$ref": "#/definitions/NetworkPolicyAmendment"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
            "reason": {
              "description": "Optional human-readable reason for the approval (e.g. retry without sandbox).",
              "type": [
@@ -3637,6 +3647,28 @@
      ],
      "type": "string"
    },
+    "NetworkPolicyAmendment": {
+      "properties": {
+        "action": {
+          "$ref": "#/definitions/NetworkPolicyRuleAction"
+        },
+        "host": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "action",
+        "host"
+      ],
+      "type": "object"
+    },
+    "NetworkPolicyRuleAction": {
+      "enum": [
+        "allow",
+        "deny"
+      ],
+      "type": "string"
+    },
    "ParsedCommand": {
      "oneOf": [
        {
@@ -6907,6 +6939,16 @@
            "null"
          ]
        },
+        "proposed_network_policy_amendments": {
+          "description": "Proposed network policy amendments (for example allow/deny this host in future).",
+          "items": {
+            "$ref": "#/definitions/NetworkPolicyAmendment"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
        "reason": {
          "description": "Optional human-readable reason for the approval (e.g. retry without sandbox).",
          "type": [