codex

clone/codex

Fork 0

mirror of https://github.com/openai/codex.git synced 2026-04-25 15:15:15 +00:00

Commit Graph

Author	SHA1	Message	Date
Michael Bolin	adca2d9f40	Make sandbox read access configurable with ReadOnlyAccess ## What This change introduces a new `ReadOnlyAccess` model and threads it through sandbox policy consumers so read access is explicit instead of implicit. - Added `ReadOnlyAccess` to protocol: - `Restricted { include_platform_defaults, readable_roots }` - `FullAccess` - Changed `SandboxPolicy` shape: - `ReadOnly` is now `ReadOnly { access: ReadOnlyAccess }` - `WorkspaceWrite` now carries `read_only_access: ReadOnlyAccess` - Kept existing behavior for now by defaulting to `ReadOnlyAccess::FullAccess` in constructors and current config/app-server mappings. - Added helper methods to compute effective readable roots (including optional platform defaults + cwd) and to detect full read access. - Updated seatbelt policy generation to honor restricted read roots by emitting scoped `(allow file-read* ...)` entries when full read access is not granted. - Updated Linux backends (`bwrap`, legacy landlock path) to fail closed with an explicit `UnsupportedOperation` when restricted read access is requested but not yet implemented there. - Updated Windows sandbox backends (standard, elevated, and runner paths) to fail closed in the same way for restricted read access. - Updated all call sites/tests/pattern matches for the new structured variants and regenerated app-server protocol schema/types. ## Why The previous `SandboxPolicy::ReadOnly` implied full-disk read access and left no way to express a narrower read surface. This refactor establishes the policy model needed to support user-configurable read restrictions in a follow-up without changing current runtime behavior. It also ensures we do not silently ignore future restricted-read policies on platform backends that do not support them yet. Failing closed keeps sandbox semantics predictable and avoids accidental over-permission. ## Compatibility and rollout notes - Existing behavior is preserved by default (`FullAccess`). - Existing config/app-server flows continue to serialize/deserialize cleanly. - New schema artifacts are included to keep generated protocol outputs in sync. ## Validation - `just fmt` - `just fix -p codex-protocol -p codex-core -p codex-linux-sandbox -p codex-windows-sandbox -p codex-app-server-protocol` - `cargo check -p codex-windows-sandbox` - Targeted crate/test runs were executed during development for protocol/core/ sandbox-related crates.	2026-02-10 23:11:46 -08:00
Michael Bolin	974355cfdd	feat: vendor app-server protocol schema fixtures (#10371 ) Similar to what @sayan-oai did in openai/codex#8956 for `config.schema.json`, this PR updates the repo so that it includes the output of `codex app-server generate-json-schema` and `codex app-server generate-ts` and adds a test to verify it is in sync with the current code. Motivation: - This makes any schema changes introduced by a PR transparent during code review. - In particular, this should help us catch PRs that would introduce a non-backwards-compatible change to the app schema (eventually, this should also be enforced by tooling). - Once https://github.com/openai/codex/pull/10231 is in to formalize the notion of "experimental" fields, we can work on ensuring the non-experimental bits are backwards-compatible. `codex-rs/app-server-protocol/tests/schema_fixtures.rs` was added as the test and `just write-app-server-schema` can be use to generate the vendored schema files. Incidentally, when I run: ``` rg _ codex-rs/app-server-protocol/schema/typescript/v2 ``` I see a number of `snake_case` names that should be `camelCase`.	2026-02-01 23:38:43 -08:00

Author

SHA1

Message

Date

Michael Bolin

adca2d9f40

Make sandbox read access configurable with ReadOnlyAccess

## What

This change introduces a new `ReadOnlyAccess` model and threads it through
sandbox policy consumers so read access is explicit instead of implicit.

- Added `ReadOnlyAccess` to protocol:
- `Restricted { include_platform_defaults, readable_roots }`
- `FullAccess`
- Changed `SandboxPolicy` shape:
- `ReadOnly` is now `ReadOnly { access: ReadOnlyAccess }`
- `WorkspaceWrite` now carries `read_only_access: ReadOnlyAccess`
- Kept existing behavior for now by defaulting to `ReadOnlyAccess::FullAccess`
in constructors and current config/app-server mappings.
- Added helper methods to compute effective readable roots (including optional
platform defaults + cwd) and to detect full read access.
- Updated seatbelt policy generation to honor restricted read roots by emitting
scoped `(allow file-read* ...)` entries when full read access is not granted.
- Updated Linux backends (`bwrap`, legacy landlock path) to fail closed with an
explicit `UnsupportedOperation` when restricted read access is requested but
not yet implemented there.
- Updated Windows sandbox backends (standard, elevated, and runner paths) to
fail closed in the same way for restricted read access.
- Updated all call sites/tests/pattern matches for the new structured variants
and regenerated app-server protocol schema/types.

## Why

The previous `SandboxPolicy::ReadOnly` implied full-disk read access and left
no way to express a narrower read surface.

This refactor establishes the policy model needed to support user-configurable
read restrictions in a follow-up without changing current runtime behavior.

It also ensures we do not silently ignore future restricted-read policies on
platform backends that do not support them yet. Failing closed keeps sandbox
semantics predictable and avoids accidental over-permission.

## Compatibility and rollout notes

- Existing behavior is preserved by default (`FullAccess`).
- Existing config/app-server flows continue to serialize/deserialize cleanly.
- New schema artifacts are included to keep generated protocol outputs in sync.

## Validation

- `just fmt`
- `just fix -p codex-protocol -p codex-core -p codex-linux-sandbox -p codex-windows-sandbox -p codex-app-server-protocol`
- `cargo check -p codex-windows-sandbox`
- Targeted crate/test runs were executed during development for protocol/core/
sandbox-related crates.

2026-02-10 23:11:46 -08:00

Michael Bolin

974355cfdd

feat: vendor app-server protocol schema fixtures (#10371 )

Similar to what @sayan-oai did in openai/codex#8956 for
`config.schema.json`, this PR updates the repo so that it includes the
output of `codex app-server generate-json-schema` and `codex app-server
generate-ts` and adds a test to verify it is in sync with the current
code.

Motivation:
- This makes any schema changes introduced by a PR transparent during
code review.
- In particular, this should help us catch PRs that would introduce a
non-backwards-compatible change to the app schema (eventually, this
should also be enforced by tooling).
- Once https://github.com/openai/codex/pull/10231 is in to formalize the
notion of "experimental" fields, we can work on ensuring the
non-experimental bits are backwards-compatible.

`codex-rs/app-server-protocol/tests/schema_fixtures.rs` was added as the
test and `just write-app-server-schema` can be use to generate the
vendored schema files.

Incidentally, when I run:

```
rg _ codex-rs/app-server-protocol/schema/typescript/v2
```

I see a number of `snake_case` names that should be `camelCase`.

2026-02-01 23:38:43 -08:00

2 Commits