Make cloud_requirements fail close (#13063)

Make it fail-close only for CLI for now Will extend this for app-server later
2026-05-04 03:16:31 +00:00 · 2026-02-27 18:22:05 -08:00
parent e6032eb0b7
commit e2fef7a3d2
6 changed files with 158 additions and 65 deletions
--- a/codex-rs/core/src/config_loader/tests.rs
+++ b/codex-rs/core/src/config_loader/tests.rs
@@ -5,6 +5,7 @@ use crate::config::ConfigOverrides;
 use crate::config::ConfigToml;
 use crate::config::ConstraintError;
 use crate::config::ProjectConfig;
+use crate::config_loader::CloudRequirementsLoadError;
 use crate::config_loader::CloudRequirementsLoader;
 use crate::config_loader::ConfigLayerEntry;
 use crate::config_loader::ConfigLoadError;
@@ -576,7 +577,7 @@ allowed_approval_policies = ["on-request"]
            ..LoaderOverrides::default()
        },
        CloudRequirementsLoader::new(async {
-            Some(ConfigRequirementsToml {
+            Ok(Some(ConfigRequirementsToml {
                allowed_approval_policies: Some(vec![AskForApproval::Never]),
                allowed_sandbox_modes: None,
                allowed_web_search_modes: None,
@@ -584,7 +585,7 @@ allowed_approval_policies = ["on-request"]
                rules: None,
                enforce_residency: None,
                network: None,
-            })
+            }))
        }),
    )
    .await?;
@@ -671,7 +672,7 @@ async fn load_config_layers_includes_cloud_requirements() -> anyhow::Result<()>
        network: None,
    };
    let expected = requirements.clone();
-    let cloud_requirements = CloudRequirementsLoader::new(async move { Some(requirements) });
+    let cloud_requirements = CloudRequirementsLoader::new(async move { Ok(Some(requirements)) });

    let layers = load_config_layers_state(
        &codex_home,
@@ -702,6 +703,31 @@ async fn load_config_layers_includes_cloud_requirements() -> anyhow::Result<()>
    Ok(())
 }

+#[tokio::test]
+async fn load_config_layers_fails_when_cloud_requirements_loader_fails() -> anyhow::Result<()> {
+    let tmp = tempdir()?;
+    let codex_home = tmp.path().join("home");
+    tokio::fs::create_dir_all(&codex_home).await?;
+    let cwd = AbsolutePathBuf::from_absolute_path(tmp.path())?;
+
+    let err = load_config_layers_state(
+        &codex_home,
+        Some(cwd),
+        &[] as &[(String, TomlValue)],
+        LoaderOverrides::default(),
+        CloudRequirementsLoader::new(async {
+            Err(CloudRequirementsLoadError::new("cloud requirements failed"))
+        }),
+    )
+    .await
+    .expect_err("cloud requirements failure should fail closed");
+
+    assert_eq!(err.kind(), std::io::ErrorKind::Other);
+    assert!(err.to_string().contains("cloud requirements failed"));
+
+    Ok(())
+}
+
 #[tokio::test]
 async fn project_layers_prefer_closest_cwd() -> std::io::Result<()> {
    let tmp = tempdir()?;