Fix sandbox retry approvals

Should fix #751 by adding verbose error message.
fix typescript error
2026-02-02 23:13:37 +00:00 · 2025-10-15 17:04:10 -07:00 · 2025-04-30 14:55:15 -04:00 · 2025-04-29 12:43:52 -04:00 · 2025-04-29 12:30:19 -04:00 · 2025-04-29 12:22:41 -04:00
36 changed files with 454 additions and 1484 deletions
--- a/.github/dotslash-config.json
+++ b/.github/dotslash-config.json
@@ -1,37 +0,0 @@
-{
-  "outputs": {
-    "codex-repl": {
-      "platforms": {
-        "macos-aarch64":  { "regex": "^codex-repl-aarch64-apple-darwin\\.zst$",          "path": "codex-repl" },
-        "macos-x86_64":   { "regex": "^codex-repl-x86_64-apple-darwin\\.zst$",           "path": "codex-repl" },
-        "linux-x86_64":   { "regex": "^codex-repl-x86_64-unknown-linux-musl\\.zst$",     "path": "codex-repl" },
-        "linux-aarch64":  { "regex": "^codex-repl-aarch64-unknown-linux-gnu\\.zst$",     "path": "codex-repl" }
-      }
-    },
-
-    "codex-exec": {
-      "platforms": {
-        "macos-aarch64":  { "regex": "^codex-exec-aarch64-apple-darwin\\.zst$",          "path": "codex-exec" },
-        "macos-x86_64":   { "regex": "^codex-exec-x86_64-apple-darwin\\.zst$",           "path": "codex-exec" },
-        "linux-x86_64":   { "regex": "^codex-exec-x86_64-unknown-linux-musl\\.zst$",     "path": "codex-exec" },
-        "linux-aarch64":  { "regex": "^codex-exec-aarch64-unknown-linux-gnu\\.zst$",     "path": "codex-exec" }
-      }
-    },
-
-    "codex": {
-      "platforms": {
-        "macos-aarch64":  { "regex": "^codex-aarch64-apple-darwin\\.zst$",          "path": "codex" },
-        "macos-x86_64":   { "regex": "^codex-x86_64-apple-darwin\\.zst$",           "path": "codex" },
-        "linux-x86_64":   { "regex": "^codex-x86_64-unknown-linux-musl\\.zst$",     "path": "codex" },
-        "linux-aarch64":  { "regex": "^codex-aarch64-unknown-linux-gnu\\.zst$",     "path": "codex" }
-      }
-    },
-
-    "codex-linux-sandbox": {
-      "platforms": {
-        "linux-x86_64":   { "regex": "^codex-linux-sandbox-x86_64-unknown-linux-musl\\.zst$",     "path": "codex-linux-sandbox" },
-        "linux-aarch64":  { "regex": "^codex-linux-sandbox-aarch64-unknown-linux-gnu\\.zst$",     "path": "codex-linux-sandbox" }
-      }
-    }
-  }
-}
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -1,157 +0,0 @@
-# Release workflow for codex-rs.
-# To release, follow a workflow like:
-# ```
-# git tag -a rust-v0.1.0 -m "Release 0.1.0"
-# git push origin rust-v0.1.0
-# ```
-
-name: rust-release
-on:
-  push:
-    tags:
-      - "rust-v.*.*.*"
-
-concurrency:
-  group: ${{ github.workflow }}
-  cancel-in-progress: true
-
-env:
-  TAG_REGEX: '^rust-v\.[0-9]+\.[0-9]+\.[0-9]+$'
-
-jobs:
-  tag-check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Validate tag matches Cargo.toml version
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "::group::Tag validation"
-
-          # 1. Must be a tag and match the regex
-          [[ "${GITHUB_REF_TYPE}" == "tag" ]] \
-            || { echo "❌  Not a tag push"; exit 1; }
-          [[ "${GITHUB_REF_NAME}" =~ ${TAG_REGEX} ]] \
-            || { echo "❌  Tag '${GITHUB_REF_NAME}' != ${TAG_REGEX}"; exit 1; }
-
-          # 2. Extract versions
-          tag_ver="${GITHUB_REF_NAME#rust-v.}"
-          cargo_ver="$(grep -m1 '^version' codex-rs/Cargo.toml \
-                        | sed -E 's/version *= *"([^"]+)".*/\1/')"
-
-          # 3. Compare
-          [[ "${tag_ver}" == "${cargo_ver}" ]] \
-            || { echo "❌  Tag ${tag_ver} ≠ Cargo.toml ${cargo_ver}"; exit 1; }
-
-          echo "✅  Tag and Cargo.toml agree (${tag_ver})"
-          echo "::endgroup::"
-
-  build:
-    needs: tag-check
-    name: ${{ matrix.runner }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    defaults:
-      run:
-        working-directory: codex-rs
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-14
-            target: aarch64-apple-darwin
-          - runner: macos-14
-            target: x86_64-apple-darwin
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-gnu
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-        with:
-          targets: ${{ matrix.target }}
-
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            ${{ github.workspace }}/codex-rs/target/
-          key: cargo-release-${{ matrix.runner }}-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' }}
-        name: Install musl build tools
-        run: |
-          sudo apt install -y musl-tools pkg-config
-
-      - name: Cargo build
-        run: cargo build --target ${{ matrix.target }} --release --all-targets --all-features
-
-      - name: Stage artifacts
-        shell: bash
-        run: |
-          dest="dist/${{ matrix.target }}"
-          mkdir -p "$dest"
-
-          cp target/${{ matrix.target }}/release/codex-repl "$dest/codex-repl-${{ matrix.target }}"
-          cp target/${{ matrix.target }}/release/codex-exec "$dest/codex-exec-${{ matrix.target }}"
-          cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'x86_64-unknown-linux-gnu' || matrix.target == 'aarch64-unknown-linux-gnu' }}
-        name: Stage Linux-only artifacts
-        shell: bash
-        run: |
-          dest="dist/${{ matrix.target }}"
-          cp target/${{ matrix.target }}/release/codex-linux-sandbox "$dest/codex-linux-sandbox-${{ matrix.target }}"
-
-      - name: Compress artifacts
-        shell: bash
-        run: |
-          dest="dist/${{ matrix.target }}"
-          zstd -T0 -19 --rm "$dest"/*
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.target }}
-          path: codex-rs/dist/${{ matrix.target }}/*
-
-  release:
-    needs: build
-    name: release
-    runs-on: ubuntu-24.04
-    env:
-      RELEASE_TAG: codex-rs-${{ github.sha }}-${{ github.run_attempt }}-${{ github.ref_name }}
-
-    steps:
-      - uses: actions/download-artifact@v4
-        with:
-          path: dist
-
-      - name: List
-        run: ls -R dist/
-
-      - uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ env.RELEASE_TAG }}
-          files: dist/**
-          # TODO(ragona): I'm going to leave these as prerelease/draft for now.
-          # It gives us 1) clarity that these are not yet a stable version, and
-          # 2) allows a human step to review the release before publishing the draft.
-          prerelease: true
-          draft: true
-
-      - uses: facebook/dotslash-publish-release@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag: ${{ env.RELEASE_TAG }}
-          config: .github/dotslash-config.json
--- a/codex-cli/scripts/init_firewall.sh
+++ b/codex-cli/scripts/init_firewall.sh
@@ -2,26 +2,6 @@
 set -euo pipefail  # Exit on error, undefined vars, and pipeline failures
 IFS=$'\n\t'       # Stricter word splitting

-# Read allowed domains from file
-ALLOWED_DOMAINS_FILE="/etc/codex/allowed_domains.txt"
-if [ -f "$ALLOWED_DOMAINS_FILE" ]; then
-    ALLOWED_DOMAINS=()
-    while IFS= read -r domain; do
-        ALLOWED_DOMAINS+=("$domain")
-    done < "$ALLOWED_DOMAINS_FILE"
-    echo "Using domains from file: ${ALLOWED_DOMAINS[*]}"
-else
-    # Fallback to default domains
-    ALLOWED_DOMAINS=("api.openai.com")
-    echo "Domains file not found, using default: ${ALLOWED_DOMAINS[*]}"
-fi
-
-# Ensure we have at least one domain
-if [ ${#ALLOWED_DOMAINS[@]} -eq 0 ]; then
-    echo "ERROR: No allowed domains specified"
-    exit 1
-fi
-
 # Flush existing rules and delete existing ipsets
 iptables -F
 iptables -X
@@ -44,7 +24,8 @@ iptables -A OUTPUT -o lo -j ACCEPT
 ipset create allowed-domains hash:net

 # Resolve and add other allowed domains
-for domain in "${ALLOWED_DOMAINS[@]}"; do
+for domain in \
+    "api.openai.com"; do
    echo "Resolving $domain..."
    ips=$(dig +short A "$domain")
    if [ -z "$ips" ]; then
@@ -106,7 +87,7 @@ else
    echo "Firewall verification passed - unable to reach https://example.com as expected"
 fi

-# Always verify OpenAI API access is working
+# Verify OpenAI API access
 if ! curl --connect-timeout 5 https://api.openai.com >/dev/null 2>&1; then
    echo "ERROR: Firewall verification failed - unable to reach https://api.openai.com"
    exit 1
--- a/codex-cli/scripts/run_in_container.sh
+++ b/codex-cli/scripts/run_in_container.sh
@@ -10,8 +10,6 @@ set -e

 # Default the work directory to WORKSPACE_ROOT_DIR if not provided.
 WORK_DIR="${WORKSPACE_ROOT_DIR:-$(pwd)}"
-# Default allowed domains - can be overridden with OPENAI_ALLOWED_DOMAINS env var
-OPENAI_ALLOWED_DOMAINS="${OPENAI_ALLOWED_DOMAINS:-api.openai.com}"

 # Parse optional flag.
 if [ "$1" = "--work_dir" ]; then
@@ -47,12 +45,6 @@ if [ -z "$WORK_DIR" ]; then
  exit 1
 fi

-# Verify that OPENAI_ALLOWED_DOMAINS is not empty
-if [ -z "$OPENAI_ALLOWED_DOMAINS" ]; then
-  echo "Error: OPENAI_ALLOWED_DOMAINS is empty."
-  exit 1
-fi
-
 # Kill any existing container for the working directory using cleanup(), centralizing removal logic.
 cleanup

@@ -65,25 +57,8 @@ docker run --name "$CONTAINER_NAME" -d \
  codex \
  sleep infinity

-# Write the allowed domains to a file in the container
-docker exec --user root "$CONTAINER_NAME" bash -c "mkdir -p /etc/codex"
-for domain in $OPENAI_ALLOWED_DOMAINS; do
-  # Validate domain format to prevent injection
-  if [[ ! "$domain" =~ ^[a-zA-Z0-9][a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then
-    echo "Error: Invalid domain format: $domain"
-    exit 1
-  fi
-  echo "$domain" | docker exec --user root -i "$CONTAINER_NAME" bash -c "cat >> /etc/codex/allowed_domains.txt"
-done
-
-# Set proper permissions on the domains file
-docker exec --user root "$CONTAINER_NAME" bash -c "chmod 444 /etc/codex/allowed_domains.txt && chown root:root /etc/codex/allowed_domains.txt"
-
-# Initialize the firewall inside the container as root user
-docker exec --user root "$CONTAINER_NAME" bash -c "/usr/local/bin/init_firewall.sh"
-
-# Remove the firewall script after running it
-docker exec --user root "$CONTAINER_NAME" bash -c "rm -f /usr/local/bin/init_firewall.sh"
+# Initialize the firewall inside the container with root privileges.
+docker exec --user root "$CONTAINER_NAME" /usr/local/bin/init_firewall.sh

 # Execute the provided command in the container, ensuring it runs in the work directory.
 # We use a parameterized bash command to safely handle the command and directory.
--- a/codex-cli/src/utils/agent/agent-loop.ts
+++ b/codex-cli/src/utils/agent/agent-loop.ts
@@ -1137,7 +1137,7 @@ export class AgentLoop {
                content: [
                  {
                    type: "input_text",
-                    text: "⚠️ Insufficient quota. Please check your billing details and retry.",
+                    text: `\u26a0 Insufficient quota: ${err instanceof Error && err.message ? err.message.trim() : "No remaining quota."} Manage or purchase credits at https://platform.openai.com/account/billing.`,
                  },
                ],
              });
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -469,7 +469,7 @@ dependencies = [

 [[package]]
 name = "codex-cli"
-version = "0.0.2504292236"
+version = "0.1.0"
 dependencies = [
 "anyhow",
 "clap",
@@ -504,7 +504,6 @@ dependencies = [
 "mime_guess",
 "openssl-sys",
 "patch",
- "path-absolutize",
 "predicates",
 "rand",
 "reqwest",
@@ -524,14 +523,12 @@ dependencies = [

 [[package]]
 name = "codex-exec"
-version = "0.0.2504292236"
+version = "0.1.0"
 dependencies = [
 "anyhow",
- "chrono",
 "clap",
 "codex-core",
- "owo-colors 4.2.0",
- "shlex",
+ "owo-colors",
 "tokio",
 "tracing",
 "tracing-subscriber",
@@ -559,12 +556,12 @@ dependencies = [

 [[package]]
 name = "codex-repl"
-version = "0.0.2504292236"
+version = "0.1.0"
 dependencies = [
 "anyhow",
 "clap",
 "codex-core",
- "owo-colors 4.2.0",
+ "owo-colors",
 "rand",
 "tokio",
 "tracing",
@@ -602,7 +599,7 @@ dependencies = [
 "eyre",
 "indenter",
 "once_cell",
- "owo-colors 3.5.0",
+ "owo-colors",
 "tracing-error",
 ]

@@ -613,7 +610,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cd6be1b2a7e382e2b98b43b2adcca6bb0e465af0bdd38123873ae61eb17a72c2"
 dependencies = [
 "once_cell",
- "owo-colors 3.5.0",
+ "owo-colors",
 "tracing-core",
 "tracing-error",
 ]
@@ -2228,12 +2225,6 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"

-[[package]]
-name = "owo-colors"
-version = "3.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1b04fb49957986fdce4d6ee7a65027d55d4b6d2265e5848bbb507b58ccfdb6f"
-
 [[package]]
 name = "owo-colors"
 version = "4.2.0"
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -10,12 +10,3 @@ members = [
    "repl",
    "tui",
 ]
-
-[workspace.package]
-version = "0.0.2504292236"
-
-[profile.release]
-lto = "fat"
-# Because we bundle some of these executables with the TypeScript CLI, we
-# remove everything to make the binary as small as possible.
-strip = "symbols"
--- a/codex-rs/cli/Cargo.toml
+++ b/codex-rs/cli/Cargo.toml
@@ -1,20 +1,12 @@
 [package]
 name = "codex-cli"
-version = { workspace = true }
+version = "0.1.0"
 edition = "2021"

 [[bin]]
 name = "codex"
 path = "src/main.rs"

-[[bin]]
-name = "codex-linux-sandbox"
-path = "src/linux-sandbox/main.rs"
-
-[lib]
-name = "codex_cli"
-path = "src/lib.rs"
-
 [dependencies]
 anyhow = "1"
 clap = { version = "4", features = ["derive"] }
--- a/codex-rs/cli/src/landlock.rs
+++ b/codex-rs/cli/src/landlock.rs
@@ -5,20 +5,34 @@

 use codex_core::protocol::SandboxPolicy;
 use std::os::unix::process::ExitStatusExt;
+use std::path::PathBuf;
 use std::process;
 use std::process::Command;
 use std::process::ExitStatus;

 /// Execute `command` in a Linux sandbox (Landlock + seccomp) the way Codex
 /// would.
-pub fn run_landlock(command: Vec<String>, sandbox_policy: SandboxPolicy) -> anyhow::Result<()> {
+pub(crate) fn run_landlock(
+    command: Vec<String>,
+    sandbox_policy: SandboxPolicy,
+    writable_roots: Vec<PathBuf>,
+) -> anyhow::Result<()> {
    if command.is_empty() {
        anyhow::bail!("command args are empty");
    }

    // Spawn a new thread and apply the sandbox policies there.
    let handle = std::thread::spawn(move || -> anyhow::Result<ExitStatus> {
-        codex_core::linux::apply_sandbox_policy_to_current_thread(sandbox_policy)?;
+        // Apply sandbox policies inside this thread so only the child inherits
+        // them, not the entire CLI process.
+        if sandbox_policy.is_network_restricted() {
+            codex_core::linux::install_network_seccomp_filter_on_current_thread()?;
+        }
+
+        if sandbox_policy.is_file_write_restricted() {
+            codex_core::linux::install_filesystem_landlock_rules_on_current_thread(writable_roots)?;
+        }
+
        let status = Command::new(&command[0]).args(&command[1..]).status()?;
        Ok(status)
    });
--- a/codex-rs/cli/src/lib.rs
+++ b/codex-rs/cli/src/lib.rs
@@ -1,47 +0,0 @@
-#[cfg(target_os = "linux")]
-pub mod landlock;
-pub mod proto;
-pub mod seatbelt;
-
-use clap::Parser;
-use codex_core::protocol::SandboxPolicy;
-use codex_core::SandboxPermissionOption;
-
-#[derive(Debug, Parser)]
-pub struct SeatbeltCommand {
-    /// Convenience alias for low-friction sandboxed automatic execution (network-disabled sandbox that can write to cwd and TMPDIR)
-    #[arg(long = "full-auto", default_value_t = false)]
-    pub full_auto: bool,
-
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
-
-    /// Full command args to run under seatbelt.
-    #[arg(trailing_var_arg = true)]
-    pub command: Vec<String>,
-}
-
-#[derive(Debug, Parser)]
-pub struct LandlockCommand {
-    /// Convenience alias for low-friction sandboxed automatic execution (network-disabled sandbox that can write to cwd and TMPDIR)
-    #[arg(long = "full-auto", default_value_t = false)]
-    pub full_auto: bool,
-
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
-
-    /// Full command args to run under landlock.
-    #[arg(trailing_var_arg = true)]
-    pub command: Vec<String>,
-}
-
-pub fn create_sandbox_policy(full_auto: bool, sandbox: SandboxPermissionOption) -> SandboxPolicy {
-    if full_auto {
-        SandboxPolicy::new_full_auto_policy()
-    } else {
-        match sandbox.permissions.map(Into::into) {
-            Some(sandbox_policy) => sandbox_policy,
-            None => SandboxPolicy::new_read_only_policy(),
-        }
-    }
-}
--- a/codex-rs/cli/src/linux-sandbox/main.rs
+++ b/codex-rs/cli/src/linux-sandbox/main.rs
@@ -1,22 +0,0 @@
-#[cfg(not(target_os = "linux"))]
-fn main() -> anyhow::Result<()> {
-    eprintln!("codex-linux-sandbox is not supported on this platform.");
-    std::process::exit(1);
-}
-
-#[cfg(target_os = "linux")]
-fn main() -> anyhow::Result<()> {
-    use clap::Parser;
-    use codex_cli::create_sandbox_policy;
-    use codex_cli::landlock;
-    use codex_cli::LandlockCommand;
-
-    let LandlockCommand {
-        full_auto,
-        sandbox,
-        command,
-    } = LandlockCommand::parse();
-    let sandbox_policy = create_sandbox_policy(full_auto, sandbox);
-    landlock::run_landlock(command, sandbox_policy)?;
-    Ok(())
-}
--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -1,9 +1,13 @@
+#[cfg(target_os = "linux")]
+mod landlock;
+mod proto;
+mod seatbelt;
+
+use std::path::PathBuf;
+
+use clap::ArgAction;
 use clap::Parser;
-use codex_cli::create_sandbox_policy;
-use codex_cli::proto;
-use codex_cli::seatbelt;
-use codex_cli::LandlockCommand;
-use codex_cli::SeatbeltCommand;
+use codex_core::SandboxModeCliArg;
 use codex_exec::Cli as ExecCli;
 use codex_repl::Cli as ReplCli;
 use codex_tui::Cli as TuiCli;
@@ -61,6 +65,36 @@ enum DebugCommand {
    Landlock(LandlockCommand),
 }

+#[derive(Debug, Parser)]
+struct SeatbeltCommand {
+    /// Writable folder for sandbox (can be specified multiple times).
+    #[arg(long = "writable-root", short = 'w', value_name = "DIR", action = ArgAction::Append, use_value_delimiter = false)]
+    writable_roots: Vec<PathBuf>,
+
+    /// Configure the process restrictions for the command.
+    #[arg(long = "sandbox", short = 's')]
+    sandbox_policy: SandboxModeCliArg,
+
+    /// Full command args to run under seatbelt.
+    #[arg(trailing_var_arg = true)]
+    command: Vec<String>,
+}
+
+#[derive(Debug, Parser)]
+struct LandlockCommand {
+    /// Writable folder for sandbox (can be specified multiple times).
+    #[arg(long = "writable-root", short = 'w', value_name = "DIR", action = ArgAction::Append, use_value_delimiter = false)]
+    writable_roots: Vec<PathBuf>,
+
+    /// Configure the process restrictions for the command.
+    #[arg(long = "sandbox", short = 's')]
+    sandbox_policy: SandboxModeCliArg,
+
+    /// Full command args to run under landlock.
+    #[arg(trailing_var_arg = true)]
+    command: Vec<String>,
+}
+
 #[derive(Debug, Parser)]
 struct ReplProto {}

@@ -84,20 +118,18 @@ async fn main() -> anyhow::Result<()> {
        Some(Subcommand::Debug(debug_args)) => match debug_args.cmd {
            DebugCommand::Seatbelt(SeatbeltCommand {
                command,
-                sandbox,
-                full_auto,
+                sandbox_policy,
+                writable_roots,
            }) => {
-                let sandbox_policy = create_sandbox_policy(full_auto, sandbox);
-                seatbelt::run_seatbelt(command, sandbox_policy).await?;
+                seatbelt::run_seatbelt(command, sandbox_policy.into(), writable_roots).await?;
            }
            #[cfg(target_os = "linux")]
            DebugCommand::Landlock(LandlockCommand {
                command,
-                sandbox,
-                full_auto,
+                sandbox_policy,
+                writable_roots,
            }) => {
-                let sandbox_policy = create_sandbox_policy(full_auto, sandbox);
-                codex_cli::landlock::run_landlock(command, sandbox_policy)?;
+                landlock::run_landlock(command, sandbox_policy.into(), writable_roots)?;
            }
            #[cfg(not(target_os = "linux"))]
            DebugCommand::Landlock(_) => {
--- a/codex-rs/cli/src/seatbelt.rs
+++ b/codex-rs/cli/src/seatbelt.rs
@@ -1,11 +1,13 @@
 use codex_core::exec::create_seatbelt_command;
 use codex_core::protocol::SandboxPolicy;
+use std::path::PathBuf;

-pub async fn run_seatbelt(
+pub(crate) async fn run_seatbelt(
    command: Vec<String>,
    sandbox_policy: SandboxPolicy,
+    writable_roots: Vec<PathBuf>,
 ) -> anyhow::Result<()> {
-    let seatbelt_command = create_seatbelt_command(command, &sandbox_policy);
+    let seatbelt_command = create_seatbelt_command(command, sandbox_policy, &writable_roots);
    let status = tokio::process::Command::new(seatbelt_command[0].clone())
        .args(&seatbelt_command[1..])
        .spawn()
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -21,7 +21,6 @@ fs-err = "3.1.0"
 futures = "0.3"
 mime_guess = "2.0"
 patch = "0.7"
-path-absolutize = "3.1.1"
 rand = "0.9"
 reqwest = { version = "0.12", features = ["json", "stream"] }
 serde = { version = "1", features = ["derive"] }
--- a/codex-rs/core/src/approval_mode_cli_arg.rs
+++ b/codex-rs/core/src/approval_mode_cli_arg.rs
@@ -1,14 +1,10 @@
 //! Standard type to use with the `--approval-mode` CLI option.
 //! Available when the `cli` feature is enabled for the crate.

-use std::path::PathBuf;
-
-use clap::ArgAction;
-use clap::Parser;
 use clap::ValueEnum;

 use crate::protocol::AskForApproval;
-use crate::protocol::SandboxPermission;
+use crate::protocol::SandboxPolicy;

 #[derive(Clone, Copy, Debug, ValueEnum)]
 #[value(rename_all = "kebab-case")]
@@ -28,6 +24,19 @@ pub enum ApprovalModeCliArg {
    Never,
 }

+#[derive(Clone, Copy, Debug, ValueEnum)]
+#[value(rename_all = "kebab-case")]
+pub enum SandboxModeCliArg {
+    /// Network syscalls will be blocked
+    NetworkRestricted,
+    /// Filesystem writes will be restricted
+    FileWriteRestricted,
+    /// Network and filesystem writes will be restricted
+    NetworkAndFileWriteRestricted,
+    /// No restrictions; full "unsandboxed" mode
+    DangerousNoRestrictions,
+}
+
 impl From<ApprovalModeCliArg> for AskForApproval {
    fn from(value: ApprovalModeCliArg) -> Self {
        match value {
@@ -38,83 +47,15 @@ impl From<ApprovalModeCliArg> for AskForApproval {
    }
 }

-#[derive(Parser, Debug)]
-pub struct SandboxPermissionOption {
-    /// Specify this flag multiple times to specify the full set of permissions
-    /// to grant to Codex.
-    ///
-    /// ```shell
-    /// codex -s disk-full-read-access \
-    ///       -s disk-write-cwd \
-    ///       -s disk-write-platform-user-temp-folder \
-    ///       -s disk-write-platform-global-temp-folder
-    /// ```
-    ///
-    /// Note disk-write-folder takes a value:
-    ///
-    /// ```shell
-    ///     -s disk-write-folder=$HOME/.pyenv/shims
-    /// ```
-    ///
-    /// These permissions are quite broad and should be used with caution:
-    ///
-    /// ```shell
-    ///     -s disk-full-write-access
-    ///     -s network-full-access
-    /// ```
-    #[arg(long = "sandbox-permission", short = 's', action = ArgAction::Append, value_parser = parse_sandbox_permission)]
-    pub permissions: Option<Vec<SandboxPermission>>,
-}
-
-/// Custom value-parser so we can keep the CLI surface small *and*
-/// still handle the parameterised `disk-write-folder` case.
-fn parse_sandbox_permission(raw: &str) -> std::io::Result<SandboxPermission> {
-    let base_path = std::env::current_dir()?;
-    parse_sandbox_permission_with_base_path(raw, base_path)
-}
-
-pub(crate) fn parse_sandbox_permission_with_base_path(
-    raw: &str,
-    base_path: PathBuf,
-) -> std::io::Result<SandboxPermission> {
-    use SandboxPermission::*;
-
-    if let Some(path) = raw.strip_prefix("disk-write-folder=") {
-        return if path.is_empty() {
-            Err(std::io::Error::new(
-                std::io::ErrorKind::InvalidInput,
-                "--sandbox-permission disk-write-folder=<PATH> requires a non-empty PATH",
-            ))
-        } else {
-            use path_absolutize::*;
-
-            let file = PathBuf::from(path);
-            let absolute_path = if file.is_relative() {
-                file.absolutize_from(base_path)
-            } else {
-                file.absolutize()
+impl From<SandboxModeCliArg> for SandboxPolicy {
+    fn from(value: SandboxModeCliArg) -> Self {
+        match value {
+            SandboxModeCliArg::NetworkRestricted => SandboxPolicy::NetworkRestricted,
+            SandboxModeCliArg::FileWriteRestricted => SandboxPolicy::FileWriteRestricted,
+            SandboxModeCliArg::NetworkAndFileWriteRestricted => {
+                SandboxPolicy::NetworkAndFileWriteRestricted
            }
-            .map(|path| path.into_owned())?;
-            Ok(DiskWriteFolder {
-                folder: absolute_path,
-            })
-        };
-    }
-
-    match raw {
-        "disk-full-read-access" => Ok(DiskFullReadAccess),
-        "disk-write-platform-user-temp-folder" => Ok(DiskWritePlatformUserTempFolder),
-        "disk-write-platform-global-temp-folder" => Ok(DiskWritePlatformGlobalTempFolder),
-        "disk-write-cwd" => Ok(DiskWriteCwd),
-        "disk-full-write-access" => Ok(DiskFullWriteAccess),
-        "network-full-access" => Ok(NetworkFullAccess),
-        _ => Err(
-            std::io::Error::new(
-                std::io::ErrorKind::InvalidInput,
-                format!(
-                    "`{raw}` is not a recognised permission.\nRun with `--help` to see the accepted values."
-                ),
-            )
-        ),
+            SandboxModeCliArg::DangerousNoRestrictions => SandboxPolicy::DangerousNoRestrictions,
+        }
    }
 }
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -861,7 +861,7 @@ async fn handle_function_call(
                assess_command_safety(
                    &params.command,
                    sess.approval_policy,
-                    &sess.sandbox_policy,
+                    sess.sandbox_policy,
                    &state.approved_commands,
                )
            };
@@ -916,11 +916,14 @@ async fn handle_function_call(
            )
            .await;

+            let roots_snapshot = { sess.writable_roots.lock().unwrap().clone() };
+
            let output_result = process_exec_tool_call(
                params.clone(),
                sandbox_type,
+                &roots_snapshot,
                sess.ctrl_c.clone(),
-                &sess.sandbox_policy,
+                sess.sandbox_policy,
            )
            .await;

@@ -979,13 +982,17 @@ async fn handle_function_call(
                        )
                        .await;

-                    match rx_approve.await.unwrap_or_default() {
+                    let decision = rx_approve.await.unwrap_or_default();
+
+                    if matches!(decision, ReviewDecision::ApprovedForSession) {
+                        // Persist this command as pre-approved for the
+                        // remainder of the session so future executions
+                        // can skip the sandbox directly.
+                        sess.add_approved_command(params.command.clone());
+                    }
+
+                    match decision {
                        ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {
-                            // Persist this command as pre‑approved for the
-                            // remainder of the session so future
-                            // executions skip the sandbox directly.
-                            // TODO(ragona): Isn't this a bug? It always saves the command in an | fork?
-                            sess.add_approved_command(params.command.clone());
                            // Inform UI we are retrying without sandbox.
                            sess.notify_background_event(
                                &sub_id,
@@ -1003,13 +1010,16 @@ async fn handle_function_call(
                            )
                            .await;

+                            let retry_roots = { sess.writable_roots.lock().unwrap().clone() };
+
                            // This is an escalated retry; the policy will not be
                            // examined and the sandbox has been set to `None`.
                            let retry_output_result = process_exec_tool_call(
                                params.clone(),
                                SandboxType::None,
+                                &retry_roots,
                                sess.ctrl_c.clone(),
-                                &sess.sandbox_policy,
+                                sess.sandbox_policy,
                            )
                            .await;

--- a/codex-rs/core/src/config.rs
+++ b/codex-rs/core/src/config.rs
@@ -1,7 +1,5 @@
-use crate::approval_mode_cli_arg::parse_sandbox_permission_with_base_path;
 use crate::flags::OPENAI_DEFAULT_MODEL;
 use crate::protocol::AskForApproval;
-use crate::protocol::SandboxPermission;
 use crate::protocol::SandboxPolicy;
 use dirs::home_dir;
 use serde::Deserialize;
@@ -13,98 +11,27 @@ use std::path::PathBuf;
 const EMBEDDED_INSTRUCTIONS: &str = include_str!("../prompt.md");

 /// Application configuration loaded from disk and merged with overrides.
-#[derive(Debug, Clone)]
+#[derive(Deserialize, Debug, Clone)]
 pub struct Config {
    /// Optional override of model selection.
+    #[serde(default = "default_model")]
    pub model: String,
-
-    /// Approval policy for executing commands.
+    /// Default approval policy for executing commands.
+    #[serde(default)]
    pub approval_policy: AskForApproval,
-
+    #[serde(default)]
    pub sandbox_policy: SandboxPolicy,

    /// Disable server-side response storage (sends the full conversation
    /// context with every request). Currently necessary for OpenAI customers
    /// who have opted into Zero Data Retention (ZDR).
+    #[serde(default)]
    pub disable_response_storage: bool,

    /// System instructions.
    pub instructions: Option<String>,
 }

-/// Base config deserialized from ~/.codex/config.toml.
-#[derive(Deserialize, Debug, Clone, Default)]
-pub struct ConfigToml {
-    /// Optional override of model selection.
-    pub model: Option<String>,
-
-    /// Default approval policy for executing commands.
-    pub approval_policy: Option<AskForApproval>,
-
-    // The `default` attribute ensures that the field is treated as `None` when
-    // the key is omitted from the TOML. Without it, Serde treats the field as
-    // required because we supply a custom deserializer.
-    #[serde(default, deserialize_with = "deserialize_sandbox_permissions")]
-    pub sandbox_permissions: Option<Vec<SandboxPermission>>,
-
-    /// Disable server-side response storage (sends the full conversation
-    /// context with every request). Currently necessary for OpenAI customers
-    /// who have opted into Zero Data Retention (ZDR).
-    pub disable_response_storage: Option<bool>,
-
-    /// System instructions.
-    pub instructions: Option<String>,
-}
-
-impl ConfigToml {
-    /// Attempt to parse the file at `~/.codex/config.toml`. If it does not
-    /// exist, return a default config. Though if it exists and cannot be
-    /// parsed, report that to the user and force them to fix it.
-    fn load_from_toml() -> std::io::Result<Self> {
-        let config_toml_path = codex_dir()?.join("config.toml");
-        match std::fs::read_to_string(&config_toml_path) {
-            Ok(contents) => toml::from_str::<Self>(&contents).map_err(|e| {
-                tracing::error!("Failed to parse config.toml: {e}");
-                std::io::Error::new(std::io::ErrorKind::InvalidData, e)
-            }),
-            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
-                tracing::info!("config.toml not found, using defaults");
-                Ok(Self::default())
-            }
-            Err(e) => {
-                tracing::error!("Failed to read config.toml: {e}");
-                Err(e)
-            }
-        }
-    }
-}
-
-fn deserialize_sandbox_permissions<'de, D>(
-    deserializer: D,
-) -> Result<Option<Vec<SandboxPermission>>, D::Error>
-where
-    D: serde::Deserializer<'de>,
-{
-    let permissions: Option<Vec<String>> = Option::deserialize(deserializer)?;
-
-    match permissions {
-        Some(raw_permissions) => {
-            let base_path = codex_dir().map_err(serde::de::Error::custom)?;
-
-            let converted = raw_permissions
-                .into_iter()
-                .map(|raw| {
-                    parse_sandbox_permission_with_base_path(&raw, base_path.clone())
-                        .map_err(serde::de::Error::custom)
-                })
-                .collect::<Result<Vec<_>, D::Error>>()?;
-
-            Ok(Some(converted))
-        }
-        None => Ok(None),
-    }
-}
-
 /// Optional overrides for user configuration (e.g., from CLI flags).
 #[derive(Default, Debug, Clone)]
 pub struct ConfigOverrides {
@@ -119,14 +46,11 @@ impl Config {
    /// ~/.codex/config.toml, ~/.codex/instructions.md, embedded defaults, and
    /// any values provided in `overrides` (highest precedence).
    pub fn load_with_overrides(overrides: ConfigOverrides) -> std::io::Result<Self> {
-        let cfg: ConfigToml = ConfigToml::load_from_toml()?;
+        let mut cfg: Config = Self::load_from_toml()?;
        tracing::warn!("Config parsed from config.toml: {cfg:?}");
-        Ok(Self::load_from_base_config_with_overrides(cfg, overrides))
-    }

-    fn load_from_base_config_with_overrides(cfg: ConfigToml, overrides: ConfigOverrides) -> Self {
        // Instructions: user-provided instructions.md > embedded default.
-        let instructions =
+        cfg.instructions =
            Self::load_instructions().or_else(|| Some(EMBEDDED_INSTRUCTIONS.to_string()));

        // Destructure ConfigOverrides fully to ensure all overrides are applied.
@@ -137,32 +61,50 @@ impl Config {
            disable_response_storage,
        } = overrides;

-        let sandbox_policy = match sandbox_policy {
-            Some(sandbox_policy) => sandbox_policy,
-            None => {
-                // Derive a SandboxPolicy from the permissions in the config.
-                match cfg.sandbox_permissions {
-                    // Note this means the user can explicitly set permissions
-                    // to the empty list in the config file, granting it no
-                    // permissions whatsoever.
-                    Some(permissions) => SandboxPolicy::from(permissions),
-                    // Default to read only rather than completely locked down.
-                    None => SandboxPolicy::new_read_only_policy(),
-                }
-            }
-        };
-
-        Self {
-            model: model.or(cfg.model).unwrap_or_else(default_model),
-            approval_policy: approval_policy
-                .or(cfg.approval_policy)
-                .unwrap_or_else(AskForApproval::default),
-            sandbox_policy,
-            disable_response_storage: disable_response_storage
-                .or(cfg.disable_response_storage)
-                .unwrap_or(false),
-            instructions,
+        if let Some(model) = model {
+            cfg.model = model;
        }
+        if let Some(approval_policy) = approval_policy {
+            cfg.approval_policy = approval_policy;
+        }
+        if let Some(sandbox_policy) = sandbox_policy {
+            cfg.sandbox_policy = sandbox_policy;
+        }
+        if let Some(disable_response_storage) = disable_response_storage {
+            cfg.disable_response_storage = disable_response_storage;
+        }
+        Ok(cfg)
+    }
+
+    /// Attempt to parse the file at `~/.codex/config.toml` into a Config.
+    fn load_from_toml() -> std::io::Result<Self> {
+        let config_toml_path = codex_dir()?.join("config.toml");
+        match std::fs::read_to_string(&config_toml_path) {
+            Ok(contents) => toml::from_str::<Self>(&contents).map_err(|e| {
+                tracing::error!("Failed to parse config.toml: {e}");
+                std::io::Error::new(std::io::ErrorKind::InvalidData, e)
+            }),
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
+                tracing::info!("config.toml not found, using defaults");
+                Ok(Self::load_default_config())
+            }
+            Err(e) => {
+                tracing::error!("Failed to read config.toml: {e}");
+                Err(e)
+            }
+        }
+    }
+
+    /// Meant to be used exclusively for tests: load_with_overrides() should be
+    /// used in all other cases.
+    pub fn load_default_config_for_test() -> Self {
+        Self::load_default_config()
+    }
+
+    fn load_default_config() -> Self {
+        // Load from an empty string to exercise #[serde(default)] to
+        // get the default values for each field.
+        toml::from_str::<Self>("").expect("empty string should parse as TOML")
    }

    fn load_instructions() -> Option<String> {
@@ -170,15 +112,6 @@ impl Config {
        p.push("instructions.md");
        std::fs::read_to_string(&p).ok()
    }
-
-    /// Meant to be used exclusively for tests: `load_with_overrides()` should
-    /// be used in all other cases.
-    pub fn load_default_config_for_test() -> Self {
-        Self::load_from_base_config_with_overrides(
-            ConfigToml::default(),
-            ConfigOverrides::default(),
-        )
-    }
 }

 fn default_model() -> String {
@@ -205,60 +138,3 @@ pub fn log_dir() -> std::io::Result<PathBuf> {
    p.push("log");
    Ok(p)
 }
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    /// Verify that the `sandbox_permissions` field on `ConfigToml` correctly
-    /// differentiates between a value that is completely absent in the
-    /// provided TOML (i.e. `None`) and one that is explicitly specified as an
-    /// empty array (i.e. `Some(vec![])`). This ensures that downstream logic
-    /// that treats these two cases differently (default read-only policy vs a
-    /// fully locked-down sandbox) continues to function.
-    #[test]
-    fn test_sandbox_permissions_none_vs_empty_vec() {
-        // Case 1: `sandbox_permissions` key is *absent* from the TOML source.
-        let toml_source_without_key = "";
-        let cfg_without_key: ConfigToml = toml::from_str(toml_source_without_key)
-            .expect("TOML deserialization without key should succeed");
-        assert!(cfg_without_key.sandbox_permissions.is_none());
-
-        // Case 2: `sandbox_permissions` is present but set to an *empty array*.
-        let toml_source_with_empty = "sandbox_permissions = []";
-        let cfg_with_empty: ConfigToml = toml::from_str(toml_source_with_empty)
-            .expect("TOML deserialization with empty array should succeed");
-        assert_eq!(Some(vec![]), cfg_with_empty.sandbox_permissions);
-
-        // Case 3: `sandbox_permissions` contains a non-empty list of valid values.
-        let toml_source_with_values = r#"
-            sandbox_permissions = ["disk-full-read-access", "network-full-access"]
-        "#;
-        let cfg_with_values: ConfigToml = toml::from_str(toml_source_with_values)
-            .expect("TOML deserialization with valid permissions should succeed");
-
-        assert_eq!(
-            Some(vec![
-                SandboxPermission::DiskFullReadAccess,
-                SandboxPermission::NetworkFullAccess
-            ]),
-            cfg_with_values.sandbox_permissions
-        );
-    }
-
-    /// Deserializing a TOML string containing an *invalid* permission should
-    /// fail with a helpful error rather than silently defaulting or
-    /// succeeding.
-    #[test]
-    fn test_sandbox_permissions_illegal_value() {
-        let toml_bad = r#"sandbox_permissions = ["not-a-real-permission"]"#;
-
-        let err = toml::from_str::<ConfigToml>(toml_bad)
-            .expect_err("Deserialization should fail for invalid permission");
-
-        // Make sure the error message contains the invalid value so users have
-        // useful feedback.
-        let msg = err.to_string();
-        assert!(msg.contains("not-a-real-permission"));
-    }
-}
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -1,6 +1,7 @@
 use std::io;
 #[cfg(target_family = "unix")]
 use std::os::unix::process::ExitStatusExt;
+use std::path::PathBuf;
 use std::process::ExitStatus;
 use std::process::Stdio;
 use std::sync::Arc;
@@ -32,7 +33,7 @@ const DEFAULT_TIMEOUT_MS: u64 = 10_000;
 const SIGKILL_CODE: i32 = 9;
 const TIMEOUT_CODE: i32 = 64;

-const MACOS_SEATBELT_BASE_POLICY: &str = include_str!("seatbelt_base_policy.sbpl");
+const MACOS_SEATBELT_READONLY_POLICY: &str = include_str!("seatbelt_readonly_policy.sbpl");

 /// When working with `sandbox-exec`, only consider `sandbox-exec` in `/usr/bin`
 /// to defend against an attacker trying to inject a malicious version on the
@@ -66,17 +67,19 @@ pub enum SandboxType {
 #[cfg(target_os = "linux")]
 async fn exec_linux(
    params: ExecParams,
+    writable_roots: &[PathBuf],
    ctrl_c: Arc<Notify>,
-    sandbox_policy: &SandboxPolicy,
+    sandbox_policy: SandboxPolicy,
 ) -> Result<RawExecToolCallOutput> {
-    crate::linux::exec_linux(params, ctrl_c, sandbox_policy).await
+    crate::linux::exec_linux(params, writable_roots, ctrl_c, sandbox_policy).await
 }

 #[cfg(not(target_os = "linux"))]
 async fn exec_linux(
    _params: ExecParams,
+    _writable_roots: &[PathBuf],
    _ctrl_c: Arc<Notify>,
-    _sandbox_policy: &SandboxPolicy,
+    _sandbox_policy: SandboxPolicy,
 ) -> Result<RawExecToolCallOutput> {
    Err(CodexErr::Io(io::Error::new(
        io::ErrorKind::InvalidInput,
@@ -87,8 +90,9 @@ async fn exec_linux(
 pub async fn process_exec_tool_call(
    params: ExecParams,
    sandbox_type: SandboxType,
+    writable_roots: &[PathBuf],
    ctrl_c: Arc<Notify>,
-    sandbox_policy: &SandboxPolicy,
+    sandbox_policy: SandboxPolicy,
 ) -> Result<ExecToolCallOutput> {
    let start = Instant::now();

@@ -100,7 +104,7 @@ pub async fn process_exec_tool_call(
                workdir,
                timeout_ms,
            } = params;
-            let seatbelt_command = create_seatbelt_command(command, sandbox_policy);
+            let seatbelt_command = create_seatbelt_command(command, sandbox_policy, writable_roots);
            exec(
                ExecParams {
                    command: seatbelt_command,
@@ -111,7 +115,9 @@ pub async fn process_exec_tool_call(
            )
            .await
        }
-        SandboxType::LinuxSeccomp => exec_linux(params, ctrl_c, sandbox_policy).await,
+        SandboxType::LinuxSeccomp => {
+            exec_linux(params, writable_roots, ctrl_c, sandbox_policy).await
+        }
    };
    let duration = start.elapsed();
    match raw_output_result {
@@ -156,61 +162,41 @@ pub async fn process_exec_tool_call(

 pub fn create_seatbelt_command(
    command: Vec<String>,
-    sandbox_policy: &SandboxPolicy,
+    sandbox_policy: SandboxPolicy,
+    writable_roots: &[PathBuf],
 ) -> Vec<String> {
-    let (file_write_policy, extra_cli_args) = {
-        if sandbox_policy.has_full_disk_write_access() {
-            // Allegedly, this is more permissive than `(allow file-write*)`.
-            (
-                r#"(allow file-write* (regex #"^/"))"#.to_string(),
-                Vec::<String>::new(),
-            )
-        } else {
-            let writable_roots = sandbox_policy.get_writable_roots();
-            let (writable_folder_policies, cli_args): (Vec<String>, Vec<String>) = writable_roots
-                .iter()
-                .enumerate()
-                .map(|(index, root)| {
-                    let param_name = format!("WRITABLE_ROOT_{index}");
-                    let policy: String = format!("(subpath (param \"{param_name}\"))");
-                    let cli_arg = format!("-D{param_name}={}", root.to_string_lossy());
-                    (policy, cli_arg)
-                })
-                .unzip();
-            if writable_folder_policies.is_empty() {
-                ("".to_string(), Vec::<String>::new())
-            } else {
-                let file_write_policy = format!(
-                    "(allow file-write*\n{}\n)",
-                    writable_folder_policies.join(" ")
-                );
-                (file_write_policy, cli_args)
-            }
-        }
-    };
-
-    let file_read_policy = if sandbox_policy.has_full_disk_read_access() {
-        "; allow read-only file operations\n(allow file-read*)"
-    } else {
-        ""
-    };
+    let (policies, cli_args): (Vec<String>, Vec<String>) = writable_roots
+        .iter()
+        .enumerate()
+        .map(|(index, root)| {
+            let param_name = format!("WRITABLE_ROOT_{index}");
+            let policy: String = format!("(subpath (param \"{param_name}\"))");
+            let cli_arg = format!("-D{param_name}={}", root.to_string_lossy());
+            (policy, cli_arg)
+        })
+        .unzip();

+    // TODO(ragona): The seatbelt policy should reflect the SandboxPolicy that
+    // is passed, but everything is currently hardcoded to use
+    // MACOS_SEATBELT_READONLY_POLICY.
    // TODO(mbolin): apply_patch calls must also honor the SandboxPolicy.
-    let network_policy = if sandbox_policy.has_full_network_access() {
-        "(allow network-outbound)\n(allow network-inbound)\n(allow system-socket)"
+    if !matches!(sandbox_policy, SandboxPolicy::NetworkRestricted) {
+        tracing::error!("specified sandbox policy {sandbox_policy:?} will not be honroed");
+    }
+
+    let full_policy = if policies.is_empty() {
+        MACOS_SEATBELT_READONLY_POLICY.to_string()
    } else {
-        ""
+        let scoped_write_policy = format!("(allow file-write*\n{}\n)", policies.join(" "));
+        format!("{MACOS_SEATBELT_READONLY_POLICY}\n{scoped_write_policy}")
    };

-    let full_policy = format!(
-        "{MACOS_SEATBELT_BASE_POLICY}\n{file_read_policy}\n{file_write_policy}\n{network_policy}"
-    );
    let mut seatbelt_command: Vec<String> = vec![
        MACOS_PATH_TO_SEATBELT_EXECUTABLE.to_string(),
        "-p".to_string(),
-        full_policy,
+        full_policy.to_string(),
    ];
-    seatbelt_command.extend(extra_cli_args);
+    seatbelt_command.extend(cli_args);
    seatbelt_command.push("--".to_string());
    seatbelt_command.extend(command);
    seatbelt_command
--- a/codex-rs/core/src/lib.rs
+++ b/codex-rs/core/src/lib.rs
@@ -28,4 +28,4 @@ mod approval_mode_cli_arg;
 #[cfg(feature = "cli")]
 pub use approval_mode_cli_arg::ApprovalModeCliArg;
 #[cfg(feature = "cli")]
-pub use approval_mode_cli_arg::SandboxPermissionOption;
+pub use approval_mode_cli_arg::SandboxModeCliArg;
--- a/codex-rs/core/src/linux.rs
+++ b/codex-rs/core/src/linux.rs
@@ -32,13 +32,14 @@ use tokio::sync::Notify;

 pub async fn exec_linux(
    params: ExecParams,
+    writable_roots: &[PathBuf],
    ctrl_c: Arc<Notify>,
-    sandbox_policy: &SandboxPolicy,
+    sandbox_policy: SandboxPolicy,
 ) -> Result<RawExecToolCallOutput> {
    // Allow READ on /
    // Allow WRITE on /dev/null
    let ctrl_c_copy = ctrl_c.clone();
-    let sandbox_policy = sandbox_policy.clone();
+    let writable_roots_copy = writable_roots.to_vec();

    // Isolate thread to run the sandbox from
    let tool_call_output = std::thread::spawn(move || {
@@ -48,7 +49,14 @@ pub async fn exec_linux(
            .expect("Failed to create runtime");

        rt.block_on(async {
-            apply_sandbox_policy_to_current_thread(sandbox_policy)?;
+            if sandbox_policy.is_network_restricted() {
+                install_network_seccomp_filter_on_current_thread()?;
+            }
+
+            if sandbox_policy.is_file_write_restricted() {
+                install_filesystem_landlock_rules_on_current_thread(writable_roots_copy)?;
+            }
+
            exec(params, ctrl_c_copy).await
        })
    })
@@ -64,31 +72,15 @@ pub async fn exec_linux(
    }
 }

-/// Apply sandbox policies inside this thread so only the child inherits
-/// them, not the entire CLI process.
-pub fn apply_sandbox_policy_to_current_thread(sandbox_policy: SandboxPolicy) -> Result<()> {
-    if !sandbox_policy.has_full_network_access() {
-        install_network_seccomp_filter_on_current_thread()?;
-    }
-
-    if !sandbox_policy.has_full_disk_write_access() {
-        let writable_roots = sandbox_policy.get_writable_roots();
-        install_filesystem_landlock_rules_on_current_thread(writable_roots)?;
-    }
-
-    // TODO(ragona): Add appropriate restrictions if
-    // `sandbox_policy.has_full_disk_read_access()` is `false`.
-
-    Ok(())
-}
-
 /// Installs Landlock file-system rules on the current thread allowing read
 /// access to the entire file-system while restricting write access to
 /// `/dev/null` and the provided list of `writable_roots`.
 ///
 /// # Errors
 /// Returns [`CodexErr::Sandbox`] variants when the ruleset fails to apply.
-fn install_filesystem_landlock_rules_on_current_thread(writable_roots: Vec<PathBuf>) -> Result<()> {
+pub fn install_filesystem_landlock_rules_on_current_thread(
+    writable_roots: Vec<PathBuf>,
+) -> Result<()> {
    let abi = ABI::V5;
    let access_rw = AccessFs::from_all(abi);
    let access_ro = AccessFs::from_read(abi);
@@ -116,7 +108,7 @@ fn install_filesystem_landlock_rules_on_current_thread(writable_roots: Vec<PathB

 /// Installs a seccomp filter that blocks outbound network access except for
 /// AF_UNIX domain sockets.
-fn install_network_seccomp_filter_on_current_thread() -> std::result::Result<(), SandboxErr> {
+pub fn install_network_seccomp_filter_on_current_thread() -> std::result::Result<(), SandboxErr> {
    // Build rule map.
    let mut rules: BTreeMap<i64, Vec<SeccompRule>> = BTreeMap::new();

@@ -192,14 +184,15 @@ mod tests_linux {
            workdir: None,
            timeout_ms: Some(timeout_ms),
        };
-
-        let sandbox_policy =
-            SandboxPolicy::new_read_only_policy_with_writable_roots(writable_roots);
-        let ctrl_c = Arc::new(Notify::new());
-        let res =
-            process_exec_tool_call(params, SandboxType::LinuxSeccomp, ctrl_c, &sandbox_policy)
-                .await
-                .unwrap();
+        let res = process_exec_tool_call(
+            params,
+            SandboxType::LinuxSeccomp,
+            writable_roots,
+            Arc::new(Notify::new()),
+            SandboxPolicy::NetworkAndFileWriteRestricted,
+        )
+        .await
+        .unwrap();

        if res.exit_code != 0 {
            println!("stdout:\n{}", res.stdout);
@@ -268,11 +261,14 @@ mod tests_linux {
            timeout_ms: Some(2_000),
        };

-        let sandbox_policy = SandboxPolicy::new_read_only_policy();
-        let ctrl_c = Arc::new(Notify::new());
-        let result =
-            process_exec_tool_call(params, SandboxType::LinuxSeccomp, ctrl_c, &sandbox_policy)
-                .await;
+        let result = process_exec_tool_call(
+            params,
+            SandboxType::LinuxSeccomp,
+            &[],
+            Arc::new(Notify::new()),
+            SandboxPolicy::NetworkRestricted,
+        )
+        .await;

        let (exit_code, stdout, stderr) = match result {
            Ok(output) => (output.exit_code, output.stdout, output.stderr),
--- a/codex-rs/core/src/protocol.rs
+++ b/codex-rs/core/src/protocol.rs
@@ -93,159 +93,44 @@ pub enum AskForApproval {
 }

 /// Determines execution restrictions for model shell commands
-#[derive(Debug, Clone, PartialEq, Eq, Deserialize, Serialize)]
+#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Hash, Serialize, Deserialize)]
 #[serde(rename_all = "kebab-case")]
-pub struct SandboxPolicy {
-    permissions: Vec<SandboxPermission>,
-}
-
-impl From<Vec<SandboxPermission>> for SandboxPolicy {
-    fn from(permissions: Vec<SandboxPermission>) -> Self {
-        Self { permissions }
-    }
+pub enum SandboxPolicy {
+    /// Network syscalls will be blocked
+    NetworkRestricted,
+    /// Filesystem writes will be restricted
+    FileWriteRestricted,
+    /// Network and filesystem writes will be restricted
+    #[default]
+    NetworkAndFileWriteRestricted,
+    /// No restrictions; full "unsandboxed" mode
+    DangerousNoRestrictions,
 }

 impl SandboxPolicy {
-    pub fn new_read_only_policy() -> Self {
-        Self {
-            permissions: vec![SandboxPermission::DiskFullReadAccess],
+    pub fn is_dangerous(&self) -> bool {
+        match self {
+            SandboxPolicy::NetworkRestricted => false,
+            SandboxPolicy::FileWriteRestricted => false,
+            SandboxPolicy::NetworkAndFileWriteRestricted => false,
+            SandboxPolicy::DangerousNoRestrictions => true,
        }
    }

-    pub fn new_read_only_policy_with_writable_roots(writable_roots: &[PathBuf]) -> Self {
-        let mut permissions = Self::new_read_only_policy().permissions;
-        permissions.extend(writable_roots.iter().map(|folder| {
-            SandboxPermission::DiskWriteFolder {
-                folder: folder.clone(),
-            }
-        }));
-        Self { permissions }
+    pub fn is_network_restricted(&self) -> bool {
+        matches!(
+            self,
+            SandboxPolicy::NetworkRestricted | SandboxPolicy::NetworkAndFileWriteRestricted
+        )
    }

-    pub fn new_full_auto_policy() -> Self {
-        Self {
-            permissions: vec![
-                SandboxPermission::DiskFullReadAccess,
-                SandboxPermission::DiskWritePlatformUserTempFolder,
-                SandboxPermission::DiskWriteCwd,
-            ],
-        }
-    }
-
-    pub fn has_full_disk_read_access(&self) -> bool {
-        self.permissions
-            .iter()
-            .any(|perm| matches!(perm, SandboxPermission::DiskFullReadAccess))
-    }
-
-    pub fn has_full_disk_write_access(&self) -> bool {
-        self.permissions
-            .iter()
-            .any(|perm| matches!(perm, SandboxPermission::DiskFullWriteAccess))
-    }
-
-    pub fn has_full_network_access(&self) -> bool {
-        self.permissions
-            .iter()
-            .any(|perm| matches!(perm, SandboxPermission::NetworkFullAccess))
-    }
-
-    pub fn get_writable_roots(&self) -> Vec<PathBuf> {
-        let mut writable_roots = Vec::<PathBuf>::new();
-        for perm in &self.permissions {
-            use SandboxPermission::*;
-            match perm {
-                DiskWritePlatformUserTempFolder => {
-                    if cfg!(target_os = "macos") {
-                        if let Some(tempdir) = std::env::var_os("TMPDIR") {
-                            // Likely something that starts with /var/folders/...
-                            let tmpdir_path = PathBuf::from(&tempdir);
-                            if tmpdir_path.is_absolute() {
-                                writable_roots.push(tmpdir_path.clone());
-                                match tmpdir_path.canonicalize() {
-                                    Ok(canonicalized) => {
-                                        // Likely something that starts with /private/var/folders/...
-                                        if canonicalized != tmpdir_path {
-                                            writable_roots.push(canonicalized);
-                                        }
-                                    }
-                                    Err(e) => {
-                                        tracing::error!("Failed to canonicalize TMPDIR: {e}");
-                                    }
-                                }
-                            } else {
-                                tracing::error!("TMPDIR is not an absolute path: {tempdir:?}");
-                            }
-                        }
-                    }
-
-                    // For Linux, should this be XDG_RUNTIME_DIR, /run/user/<uid>, or something else?
-                }
-                DiskWritePlatformGlobalTempFolder => {
-                    if cfg!(unix) {
-                        writable_roots.push(PathBuf::from("/tmp"));
-                    }
-                }
-                DiskWriteCwd => match std::env::current_dir() {
-                    Ok(cwd) => writable_roots.push(cwd),
-                    Err(err) => {
-                        tracing::error!("Failed to get current working directory: {err}");
-                    }
-                },
-                DiskWriteFolder { folder } => {
-                    writable_roots.push(folder.clone());
-                }
-                DiskFullReadAccess | NetworkFullAccess => {}
-                DiskFullWriteAccess => {
-                    // Currently, we expect callers to only invoke this method
-                    // after verifying has_full_disk_write_access() is false.
-                }
-            }
-        }
-        writable_roots
-    }
-
-    pub fn is_unrestricted(&self) -> bool {
-        self.has_full_disk_read_access()
-            && self.has_full_disk_write_access()
-            && self.has_full_network_access()
+    pub fn is_file_write_restricted(&self) -> bool {
+        matches!(
+            self,
+            SandboxPolicy::FileWriteRestricted | SandboxPolicy::NetworkAndFileWriteRestricted
+        )
    }
 }
-
-/// Permissions that should be granted to the sandbox in which the agent
-/// operates.
-#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
-#[serde(rename_all = "kebab-case")]
-pub enum SandboxPermission {
-    /// Is allowed to read all files on disk.
-    DiskFullReadAccess,
-
-    /// Is allowed to write to the operating system's temp dir that
-    /// is restricted to the user the agent is running as. For
-    /// example, on macOS, this is generally something under
-    /// `/var/folders` as opposed to `/tmp`.
-    DiskWritePlatformUserTempFolder,
-
-    /// Is allowed to write to the operating system's shared temp
-    /// dir. On UNIX, this is generally `/tmp`.
-    DiskWritePlatformGlobalTempFolder,
-
-    /// Is allowed to write to the current working directory (in practice, this
-    /// is the `cwd` where `codex` was spawned).
-    DiskWriteCwd,
-
-    /// Is allowed to the specified folder. `PathBuf` must be an
-    /// absolute path, though it is up to the caller to canonicalize
-    /// it if the path contains symlinks.
-    DiskWriteFolder { folder: PathBuf },
-
-    /// Is allowed to write to any file on disk.
-    DiskFullWriteAccess,
-
-    /// Can make arbitrary network requests.
-    NetworkFullAccess,
-}
-
 /// User input
 #[non_exhaustive]
 #[derive(Debug, Clone, Deserialize, Serialize)]
--- a/codex-rs/core/src/safety.rs
+++ b/codex-rs/core/src/safety.rs
@@ -65,7 +65,7 @@ pub fn assess_patch_safety(
 pub fn assess_command_safety(
    command: &[String],
    approval_policy: AskForApproval,
-    sandbox_policy: &SandboxPolicy,
+    sandbox_policy: SandboxPolicy,
    approved: &HashSet<Vec<String>>,
 ) -> SafetyCheck {
    let approve_without_sandbox = || SafetyCheck::AutoApprove {
@@ -81,10 +81,11 @@ pub fn assess_command_safety(
    }

    // Command was not known-safe or allow-listed
-    if sandbox_policy.is_unrestricted() {
-        approve_without_sandbox()
-    } else {
-        match get_platform_sandbox() {
+    match sandbox_policy {
+        // Only the dangerous sandbox policy will run arbitrary commands outside a sandbox
+        SandboxPolicy::DangerousNoRestrictions => approve_without_sandbox(),
+        // All other policies try to run the command in a sandbox if it is available
+        _ => match get_platform_sandbox() {
            // We have a sandbox, so we can approve the command in all modes
            Some(sandbox_type) => SafetyCheck::AutoApprove { sandbox_type },
            None => {
@@ -98,7 +99,7 @@ pub fn assess_command_safety(
                    _ => SafetyCheck::AskUser,
                }
            }
-        }
+        },
    }
 }

--- a/codex-rs/core/src/seatbelt_readonly_policy.sbpl
+++ b/codex-rs/core/src/seatbelt_readonly_policy.sbpl
@@ -6,6 +6,9 @@
 ; start with closed-by-default
 (deny default)

+; allow read-only file operations
+(allow file-read*)
+
 ; child processes inherit the policy of their parent
 (allow process-exec)
 (allow process-fork)
--- a/codex-rs/core/tests/live_agent.rs
+++ b/codex-rs/core/tests/live_agent.rs
@@ -55,7 +55,7 @@ async fn spawn_codex() -> Codex {
                model: config.model,
                instructions: None,
                approval_policy: config.approval_policy,
-                sandbox_policy: SandboxPolicy::new_read_only_policy(),
+                sandbox_policy: SandboxPolicy::NetworkAndFileWriteRestricted,
                disable_response_storage: false,
            },
        })
--- a/codex-rs/core/tests/previous_response_id.rs
+++ b/codex-rs/core/tests/previous_response_id.rs
@@ -95,7 +95,7 @@ async fn keeps_previous_response_id_between_tasks() {
                model: config.model,
                instructions: None,
                approval_policy: config.approval_policy,
-                sandbox_policy: SandboxPolicy::new_read_only_policy(),
+                sandbox_policy: SandboxPolicy::NetworkAndFileWriteRestricted,
                disable_response_storage: false,
            },
        })
--- a/codex-rs/core/tests/stream_no_completed.rs
+++ b/codex-rs/core/tests/stream_no_completed.rs
@@ -78,7 +78,7 @@ async fn retries_on_early_close() {
                model: config.model,
                instructions: None,
                approval_policy: config.approval_policy,
-                sandbox_policy: SandboxPolicy::new_read_only_policy(),
+                sandbox_policy: SandboxPolicy::NetworkAndFileWriteRestricted,
                disable_response_storage: false,
            },
        })
--- a/codex-rs/exec/Cargo.toml
+++ b/codex-rs/exec/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "codex-exec"
-version = { workspace = true }
+version = "0.1.0"
 edition = "2021"

 [[bin]]
@@ -13,11 +13,8 @@ path = "src/lib.rs"

 [dependencies]
 anyhow = "1"
-chrono = "0.4.40"
 clap = { version = "4", features = ["derive"] }
 codex-core = { path = "../core", features = ["cli"] }
-owo-colors = "4.2.0"
-shlex = "1.3.0"
 tokio = { version = "1", features = [
    "io-std",
    "macros",
@@ -27,3 +24,4 @@ tokio = { version = "1", features = [
 ] }
 tracing = { version = "0.1.41", features = ["log"] }
 tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
+owo-colors = "4.2.0"
--- a/codex-rs/exec/src/cli.rs
+++ b/codex-rs/exec/src/cli.rs
@@ -1,6 +1,5 @@
 use clap::Parser;
-use clap::ValueEnum;
-use codex_core::SandboxPermissionOption;
+use codex_core::SandboxModeCliArg;
 use std::path::PathBuf;

 #[derive(Parser, Debug)]
@@ -14,12 +13,11 @@ pub struct Cli {
    #[arg(long, short = 'm')]
    pub model: Option<String>,

-    /// Convenience alias for low-friction sandboxed automatic execution (network-disabled sandbox that can write to cwd and TMPDIR)
-    #[arg(long = "full-auto", default_value_t = false)]
-    pub full_auto: bool,
-
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
+    /// Configure the process restrictions when a command is executed.
+    ///
+    /// Uses OS-specific sandboxing tools; Seatbelt on OSX, landlock+seccomp on Linux.
+    #[arg(long = "sandbox", short = 's')]
+    pub sandbox_policy: Option<SandboxModeCliArg>,

    /// Allow running Codex outside a Git repository.
    #[arg(long = "skip-git-repo-check", default_value_t = false)]
@@ -29,19 +27,6 @@ pub struct Cli {
    #[arg(long = "disable-response-storage", default_value_t = false)]
    pub disable_response_storage: bool,

-    /// Specifies color settings for use in the output.
-    #[arg(long = "color", value_enum, default_value_t = Color::Auto)]
-    pub color: Color,
-
    /// Initial instructions for the agent.
-    pub prompt: String,
-}
-
-#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, ValueEnum)]
-#[value(rename_all = "kebab-case")]
-pub enum Color {
-    Always,
-    Never,
-    #[default]
-    Auto,
+    pub prompt: Option<String>,
 }
--- a/codex-rs/exec/src/event_processor.rs
+++ b/codex-rs/exec/src/event_processor.rs
@@ -1,307 +0,0 @@
-use chrono::Utc;
-use codex_core::protocol::Event;
-use codex_core::protocol::EventMsg;
-use codex_core::protocol::FileChange;
-use owo_colors::OwoColorize;
-use owo_colors::Style;
-use shlex::try_join;
-use std::collections::HashMap;
-
-/// This should be configurable. When used in CI, users may not want to impose
-/// a limit so they can see the full transcript.
-const MAX_OUTPUT_LINES_FOR_EXEC_TOOL_CALL: usize = 20;
-
-pub(crate) struct EventProcessor {
-    call_id_to_command: HashMap<String, ExecCommandBegin>,
-    call_id_to_patch: HashMap<String, PatchApplyBegin>,
-
-    // To ensure that --color=never is respected, ANSI escapes _must_ be added
-    // using .style() with one of these fields. If you need a new style, add a
-    // new field here.
-    bold: Style,
-    dimmed: Style,
-
-    magenta: Style,
-    red: Style,
-    green: Style,
-}
-
-impl EventProcessor {
-    pub(crate) fn create_with_ansi(with_ansi: bool) -> Self {
-        let call_id_to_command = HashMap::new();
-        let call_id_to_patch = HashMap::new();
-
-        if with_ansi {
-            Self {
-                call_id_to_command,
-                call_id_to_patch,
-                bold: Style::new().bold(),
-                dimmed: Style::new().dimmed(),
-                magenta: Style::new().magenta(),
-                red: Style::new().red(),
-                green: Style::new().green(),
-            }
-        } else {
-            Self {
-                call_id_to_command,
-                call_id_to_patch,
-                bold: Style::new(),
-                dimmed: Style::new(),
-                magenta: Style::new(),
-                red: Style::new(),
-                green: Style::new(),
-            }
-        }
-    }
-}
-
-struct ExecCommandBegin {
-    command: Vec<String>,
-    start_time: chrono::DateTime<Utc>,
-}
-
-struct PatchApplyBegin {
-    start_time: chrono::DateTime<Utc>,
-    auto_approved: bool,
-}
-
-macro_rules! ts_println {
-    ($($arg:tt)*) => {{
-        let now = Utc::now();
-        let formatted = now.format("%Y-%m-%dT%H:%M:%S").to_string();
-        print!("[{}] ", formatted);
-        println!($($arg)*);
-    }};
-}
-
-impl EventProcessor {
-    pub(crate) fn process_event(&mut self, event: Event) {
-        let Event { id, msg } = event;
-        match msg {
-            EventMsg::Error { message } => {
-                let prefix = "ERROR:".style(self.red);
-                ts_println!("{prefix} {message}");
-            }
-            EventMsg::BackgroundEvent { message } => {
-                ts_println!("{}", message.style(self.dimmed));
-            }
-            EventMsg::TaskStarted => {
-                let msg = format!("Task started: {id}");
-                ts_println!("{}", msg.style(self.dimmed));
-            }
-            EventMsg::TaskComplete => {
-                let msg = format!("Task complete: {id}");
-                ts_println!("{}", msg.style(self.bold));
-            }
-            EventMsg::AgentMessage { message } => {
-                let prefix = "Agent message:".style(self.bold);
-                ts_println!("{prefix} {message}");
-            }
-            EventMsg::ExecCommandBegin {
-                call_id,
-                command,
-                cwd,
-            } => {
-                self.call_id_to_command.insert(
-                    call_id.clone(),
-                    ExecCommandBegin {
-                        command: command.clone(),
-                        start_time: Utc::now(),
-                    },
-                );
-                ts_println!(
-                    "{} {} in {}",
-                    "exec".style(self.magenta),
-                    escape_command(&command).style(self.bold),
-                    cwd,
-                );
-            }
-            EventMsg::ExecCommandEnd {
-                call_id,
-                stdout,
-                stderr,
-                exit_code,
-            } => {
-                let exec_command = self.call_id_to_command.remove(&call_id);
-                let (duration, call) = if let Some(ExecCommandBegin {
-                    command,
-                    start_time,
-                }) = exec_command
-                {
-                    (
-                        format_duration(start_time),
-                        format!("{}", escape_command(&command).style(self.bold)),
-                    )
-                } else {
-                    ("".to_string(), format!("exec('{call_id}')"))
-                };
-
-                let output = if exit_code == 0 { stdout } else { stderr };
-                let truncated_output = output
-                    .lines()
-                    .take(MAX_OUTPUT_LINES_FOR_EXEC_TOOL_CALL)
-                    .collect::<Vec<_>>()
-                    .join("\n");
-                match exit_code {
-                    0 => {
-                        let title = format!("{call} succeded{duration}:");
-                        ts_println!("{}", title.style(self.green));
-                    }
-                    _ => {
-                        let title = format!("{call} exited {exit_code}{duration}:");
-                        ts_println!("{}", title.style(self.red));
-                    }
-                }
-                println!("{}", truncated_output.style(self.dimmed));
-            }
-            EventMsg::PatchApplyBegin {
-                call_id,
-                auto_approved,
-                changes,
-            } => {
-                // Store metadata so we can calculate duration later when we
-                // receive the corresponding PatchApplyEnd event.
-                self.call_id_to_patch.insert(
-                    call_id.clone(),
-                    PatchApplyBegin {
-                        start_time: Utc::now(),
-                        auto_approved,
-                    },
-                );
-
-                ts_println!(
-                    "{} auto_approved={}:",
-                    "apply_patch".style(self.magenta),
-                    auto_approved,
-                );
-
-                // Pretty-print the patch summary with colored diff markers so
-                // it’s easy to scan in the terminal output.
-                for (path, change) in changes.iter() {
-                    match change {
-                        FileChange::Add { content } => {
-                            let header = format!(
-                                "{} {}",
-                                format_file_change(change),
-                                path.to_string_lossy()
-                            );
-                            println!("{}", header.style(self.magenta));
-                            for line in content.lines() {
-                                println!("{}", line.style(self.green));
-                            }
-                        }
-                        FileChange::Delete => {
-                            let header = format!(
-                                "{} {}",
-                                format_file_change(change),
-                                path.to_string_lossy()
-                            );
-                            println!("{}", header.style(self.magenta));
-                        }
-                        FileChange::Update {
-                            unified_diff,
-                            move_path,
-                        } => {
-                            let header = if let Some(dest) = move_path {
-                                format!(
-                                    "{} {} -> {}",
-                                    format_file_change(change),
-                                    path.to_string_lossy(),
-                                    dest.to_string_lossy()
-                                )
-                            } else {
-                                format!("{} {}", format_file_change(change), path.to_string_lossy())
-                            };
-                            println!("{}", header.style(self.magenta));
-
-                            // Colorize diff lines. We keep file header lines
-                            // (--- / +++) without extra coloring so they are
-                            // still readable.
-                            for diff_line in unified_diff.lines() {
-                                if diff_line.starts_with('+') && !diff_line.starts_with("+++") {
-                                    println!("{}", diff_line.style(self.green));
-                                } else if diff_line.starts_with('-')
-                                    && !diff_line.starts_with("---")
-                                {
-                                    println!("{}", diff_line.style(self.red));
-                                } else {
-                                    println!("{diff_line}");
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-            EventMsg::PatchApplyEnd {
-                call_id,
-                stdout,
-                stderr,
-                success,
-            } => {
-                let patch_begin = self.call_id_to_patch.remove(&call_id);
-
-                // Compute duration and summary label similar to exec commands.
-                let (duration, label) = if let Some(PatchApplyBegin {
-                    start_time,
-                    auto_approved,
-                }) = patch_begin
-                {
-                    (
-                        format_duration(start_time),
-                        format!("apply_patch(auto_approved={})", auto_approved),
-                    )
-                } else {
-                    (String::new(), format!("apply_patch('{call_id}')"))
-                };
-
-                let (exit_code, output, title_style) = if success {
-                    (0, stdout, self.green)
-                } else {
-                    (1, stderr, self.red)
-                };
-
-                let title = format!("{label} exited {exit_code}{duration}:");
-                ts_println!("{}", title.style(title_style));
-                for line in output.lines() {
-                    println!("{}", line.style(self.dimmed));
-                }
-            }
-            EventMsg::ExecApprovalRequest { .. } => {
-                // Should we exit?
-            }
-            EventMsg::ApplyPatchApprovalRequest { .. } => {
-                // Should we exit?
-            }
-            _ => {
-                // Ignore event.
-            }
-        }
-    }
-}
-
-fn escape_command(command: &[String]) -> String {
-    try_join(command.iter().map(|s| s.as_str())).unwrap_or_else(|_| command.join(" "))
-}
-
-fn format_file_change(change: &FileChange) -> &'static str {
-    match change {
-        FileChange::Add { .. } => "A",
-        FileChange::Delete => "D",
-        FileChange::Update {
-            move_path: Some(_), ..
-        } => "R",
-        FileChange::Update {
-            move_path: None, ..
-        } => "M",
-    }
-}
-
-fn format_duration(start_time: chrono::DateTime<Utc>) -> String {
-    let elapsed = Utc::now().signed_duration_since(start_time);
-    let millis = elapsed.num_milliseconds();
-    if millis < 1000 {
-        format!(" in {}ms", millis)
-    } else {
-        format!(" in {:.2}s", millis as f64 / 1000.0)
-    }
-}
--- a/codex-rs/exec/src/lib.rs
+++ b/codex-rs/exec/src/lib.rs
@@ -1,7 +1,4 @@
 mod cli;
-mod event_processor;
-
-use std::io::IsTerminal;
 use std::sync::Arc;

 pub use cli::Cli;
@@ -11,71 +8,80 @@ use codex_core::config::ConfigOverrides;
 use codex_core::protocol::AskForApproval;
 use codex_core::protocol::Event;
 use codex_core::protocol::EventMsg;
+use codex_core::protocol::FileChange;
 use codex_core::protocol::InputItem;
 use codex_core::protocol::Op;
-use codex_core::protocol::SandboxPolicy;
 use codex_core::util::is_inside_git_repo;
-use event_processor::EventProcessor;
 use owo_colors::OwoColorize;
-use owo_colors::Style;
 use tracing::debug;
 use tracing::error;
 use tracing::info;
 use tracing_subscriber::EnvFilter;

+/// Returns `true` if a recognised API key is present in the environment.
+///
+/// At present we only support `OPENAI_API_KEY`, mirroring the behaviour of the
+/// Node-based `codex-cli`.  Additional providers can be added here when the
+/// Rust implementation gains first-class support for them.
+fn has_api_key() -> bool {
+    std::env::var("OPENAI_API_KEY")
+        .map(|s| !s.trim().is_empty())
+        .unwrap_or(false)
+}
+
 pub async fn run_main(cli: Cli) -> anyhow::Result<()> {
-    let Cli {
-        images,
-        model,
-        full_auto,
-        sandbox,
-        skip_git_repo_check,
-        disable_response_storage,
-        color,
-        prompt,
-    } = cli;
-
-    let (stdout_with_ansi, stderr_with_ansi) = match color {
-        cli::Color::Always => (true, true),
-        cli::Color::Never => (false, false),
-        cli::Color::Auto => (
-            std::io::stdout().is_terminal(),
-            std::io::stderr().is_terminal(),
-        ),
-    };
-
-    assert_api_key(stderr_with_ansi);
-
-    if !skip_git_repo_check && !is_inside_git_repo() {
-        eprintln!("Not inside a Git repo and --skip-git-repo-check was not specified.");
-        std::process::exit(1);
-    }
-
    // TODO(mbolin): Take a more thoughtful approach to logging.
    let default_level = "error";
+    let allow_ansi = true;
    let _ = tracing_subscriber::fmt()
        .with_env_filter(
            EnvFilter::try_from_default_env()
                .or_else(|_| EnvFilter::try_new(default_level))
                .unwrap(),
        )
-        .with_ansi(stderr_with_ansi)
+        .with_ansi(allow_ansi)
        .with_writer(std::io::stderr)
        .try_init();

-    let sandbox_policy = if full_auto {
-        Some(SandboxPolicy::new_full_auto_policy())
-    } else {
-        sandbox.permissions.clone().map(Into::into)
-    };
+    let Cli {
+        images,
+        model,
+        sandbox_policy,
+        skip_git_repo_check,
+        disable_response_storage,
+        prompt,
+        ..
+    } = cli;
+
+    // ---------------------------------------------------------------------
+    // API key handling
+    // ---------------------------------------------------------------------
+
+    if !has_api_key() {
+        eprintln!(
+            "\n{msg}\n\nSet the environment variable {var} and re-run this command.\nYou can create a key here: {url}\n",
+            msg = "Missing OpenAI API key.".red(),
+            var = "OPENAI_API_KEY".bold(),
+            url = "https://platform.openai.com/account/api-keys".bold().underline(),
+        );
+        std::process::exit(1);
+    }
+
+    if !skip_git_repo_check && !is_inside_git_repo() {
+        eprintln!("Not inside a Git repo and --skip-git-repo-check was not specified.");
+        std::process::exit(1);
+    } else if images.is_empty() && prompt.is_none() {
+        eprintln!("No images or prompt specified.");
+        std::process::exit(1);
+    }

    // Load configuration and determine approval policy
    let overrides = ConfigOverrides {
-        model,
+        model: model.clone(),
        // This CLI is intended to be headless and has no affordances for asking
        // the user for approval.
        approval_policy: Some(AskForApproval::Never),
-        sandbox_policy,
+        sandbox_policy: sandbox_policy.map(Into::into),
        disable_response_storage: if disable_response_storage {
            Some(true)
        } else {
@@ -109,6 +115,7 @@ pub async fn run_main(cli: Cli) -> anyhow::Result<()> {
                    res = codex.next_event() => match res {
                        Ok(event) => {
                            debug!("Received event: {event:?}");
+                            process_event(&event);
                            if let Err(e) = tx.send(event) {
                                error!("Error sending event: {e:?}");
                                break;
@@ -124,8 +131,8 @@ pub async fn run_main(cli: Cli) -> anyhow::Result<()> {
        });
    }

-    // Send images first, if any.
    if !images.is_empty() {
+        // Send images first.
        let items: Vec<InputItem> = images
            .into_iter()
            .map(|path| InputItem::LocalImage { path })
@@ -139,56 +146,101 @@ pub async fn run_main(cli: Cli) -> anyhow::Result<()> {
        }
    }

-    // Send the prompt.
-    let items: Vec<InputItem> = vec![InputItem::Text { text: prompt }];
-    let initial_prompt_task_id = codex.submit(Op::UserInput { items }).await?;
-    info!("Sent prompt with event ID: {initial_prompt_task_id}");
-
-    // Run the loop until the task is complete.
-    let mut event_processor = EventProcessor::create_with_ansi(stdout_with_ansi);
-    while let Some(event) = rx.recv().await {
-        let last_event =
-            event.id == initial_prompt_task_id && matches!(event.msg, EventMsg::TaskComplete);
-        event_processor.process_event(event);
-        if last_event {
-            break;
+    if let Some(prompt) = prompt {
+        // Send the prompt.
+        let items: Vec<InputItem> = vec![InputItem::Text { text: prompt }];
+        let initial_prompt_task_id = codex.submit(Op::UserInput { items }).await?;
+        info!("Sent prompt with event ID: {initial_prompt_task_id}");
+        while let Some(event) = rx.recv().await {
+            if event.id == initial_prompt_task_id && matches!(event.msg, EventMsg::TaskComplete) {
+                break;
+            }
        }
    }

    Ok(())
 }

-/// If a valid API key is not present in the environment, print an error to
-/// stderr and exits with 1; otherwise, does nothing.
-fn assert_api_key(stderr_with_ansi: bool) {
-    if !has_api_key() {
-        let (msg_style, var_style, url_style) = if stderr_with_ansi {
-            (
-                Style::new().red(),
-                Style::new().bold(),
-                Style::new().bold().underline(),
-            )
-        } else {
-            (Style::new(), Style::new(), Style::new())
-        };
-
-        eprintln!(
-            "\n{msg}\n\nSet the environment variable {var} and re-run this command.\nYou can create a key here: {url}\n",
-            msg = "Missing OpenAI API key.".style(msg_style),
-            var = "OPENAI_API_KEY".style(var_style),
-            url = "https://platform.openai.com/account/api-keys".style(url_style),
-        );
-        std::process::exit(1);
+fn process_event(event: &Event) {
+    let Event { id, msg } = event;
+    match msg {
+        EventMsg::Error { message } => {
+            println!("Error: {message}");
+        }
+        EventMsg::BackgroundEvent { .. } => {
+            // Ignore these for now.
+        }
+        EventMsg::TaskStarted => {
+            println!("Task started: {id}");
+        }
+        EventMsg::TaskComplete => {
+            println!("Task complete: {id}");
+        }
+        EventMsg::AgentMessage { message } => {
+            println!("Agent message: {message}");
+        }
+        EventMsg::ExecCommandBegin {
+            call_id,
+            command,
+            cwd,
+        } => {
+            println!("exec('{call_id}'): {:?} in {cwd}", command);
+        }
+        EventMsg::ExecCommandEnd {
+            call_id,
+            stdout,
+            stderr,
+            exit_code,
+        } => {
+            let output = if *exit_code == 0 { stdout } else { stderr };
+            let truncated_output = output.lines().take(5).collect::<Vec<_>>().join("\n");
+            println!("exec('{call_id}') exited {exit_code}:\n{truncated_output}");
+        }
+        EventMsg::PatchApplyBegin {
+            call_id,
+            auto_approved,
+            changes,
+        } => {
+            let changes = changes
+                .iter()
+                .map(|(path, change)| {
+                    format!("{} {}", format_file_change(change), path.to_string_lossy())
+                })
+                .collect::<Vec<_>>()
+                .join("\n");
+            println!("apply_patch('{call_id}') auto_approved={auto_approved}:\n{changes}");
+        }
+        EventMsg::PatchApplyEnd {
+            call_id,
+            stdout,
+            stderr,
+            success,
+        } => {
+            let (exit_code, output) = if *success { (0, stdout) } else { (1, stderr) };
+            let truncated_output = output.lines().take(5).collect::<Vec<_>>().join("\n");
+            println!("apply_patch('{call_id}') exited {exit_code}:\n{truncated_output}");
+        }
+        EventMsg::ExecApprovalRequest { .. } => {
+            // Should we exit?
+        }
+        EventMsg::ApplyPatchApprovalRequest { .. } => {
+            // Should we exit?
+        }
+        _ => {
+            // Ignore event.
+        }
    }
 }

-/// Returns `true` if a recognized API key is present in the environment.
-///
-/// At present we only support `OPENAI_API_KEY`, mirroring the behavior of the
-/// Node-based `codex-cli`. Additional providers can be added here when the
-/// Rust implementation gains first-class support for them.
-fn has_api_key() -> bool {
-    std::env::var("OPENAI_API_KEY")
-        .map(|s| !s.trim().is_empty())
-        .unwrap_or(false)
+fn format_file_change(change: &FileChange) -> &'static str {
+    match change {
+        FileChange::Add { .. } => "A",
+        FileChange::Delete => "D",
+        FileChange::Update {
+            move_path: Some(_), ..
+        } => "R",
+        FileChange::Update {
+            move_path: None, ..
+        } => "M",
+    }
 }
--- a/codex-rs/repl/Cargo.toml
+++ b/codex-rs/repl/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "codex-repl"
-version = { workspace = true }
+version = "0.1.0"
 edition = "2021"

 [[bin]]
--- a/codex-rs/repl/src/cli.rs
+++ b/codex-rs/repl/src/cli.rs
@@ -1,7 +1,7 @@
 use clap::ArgAction;
 use clap::Parser;
 use codex_core::ApprovalModeCliArg;
-use codex_core::SandboxPermissionOption;
+use codex_core::SandboxModeCliArg;
 use std::path::PathBuf;

 /// Command‑line arguments.
@@ -37,12 +37,11 @@ pub struct Cli {
    #[arg(long = "ask-for-approval", short = 'a')]
    pub approval_policy: Option<ApprovalModeCliArg>,

-    /// Convenience alias for low-friction sandboxed automatic execution (-a on-failure, network-disabled sandbox that can write to cwd and TMPDIR)
-    #[arg(long = "full-auto", default_value_t = false)]
-    pub full_auto: bool,
-
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
+    /// Configure the process restrictions when a command is executed.
+    ///
+    /// Uses OS-specific sandboxing tools; Seatbelt on OSX, landlock+seccomp on Linux.
+    #[arg(long = "sandbox", short = 's')]
+    pub sandbox_policy: Option<SandboxModeCliArg>,

    /// Allow running Codex outside a Git repository.  By default the CLI
    /// aborts early when the current working directory is **not** inside a
--- a/codex-rs/repl/src/lib.rs
+++ b/codex-rs/repl/src/lib.rs
@@ -6,9 +6,7 @@ use std::sync::Arc;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::protocol;
-use codex_core::protocol::AskForApproval;
 use codex_core::protocol::FileChange;
-use codex_core::protocol::SandboxPolicy;
 use codex_core::util::is_inside_git_repo;
 use codex_core::util::notify_on_sigint;
 use codex_core::Codex;
@@ -78,21 +76,11 @@ pub async fn run_main(cli: Cli) -> anyhow::Result<()> {
    // Initialize logging before any other work so early errors are captured.
    init_logger(cli.verbose, !cli.no_ansi);

-    let (sandbox_policy, approval_policy) = if cli.full_auto {
-        (
-            Some(SandboxPolicy::new_full_auto_policy()),
-            Some(AskForApproval::OnFailure),
-        )
-    } else {
-        let sandbox_policy = cli.sandbox.permissions.clone().map(Into::into);
-        (sandbox_policy, cli.approval_policy.map(Into::into))
-    };
-
    // Load config file and apply CLI overrides (model & approval policy)
    let overrides = ConfigOverrides {
        model: cli.model.clone(),
-        approval_policy,
-        sandbox_policy,
+        approval_policy: cli.approval_policy.map(Into::into),
+        sandbox_policy: cli.sandbox_policy.map(Into::into),
        disable_response_storage: if cli.disable_response_storage {
            Some(true)
        } else {
--- a/codex-rs/tui/src/cli.rs
+++ b/codex-rs/tui/src/cli.rs
@@ -1,6 +1,6 @@
 use clap::Parser;
 use codex_core::ApprovalModeCliArg;
-use codex_core::SandboxPermissionOption;
+use codex_core::SandboxModeCliArg;
 use std::path::PathBuf;

 #[derive(Parser, Debug)]
@@ -21,12 +21,11 @@ pub struct Cli {
    #[arg(long = "ask-for-approval", short = 'a')]
    pub approval_policy: Option<ApprovalModeCliArg>,

-    /// Convenience alias for low-friction sandboxed automatic execution (-a on-failure, network-disabled sandbox that can write to cwd and TMPDIR)
-    #[arg(long = "full-auto", default_value_t = false)]
-    pub full_auto: bool,
-
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
+    /// Configure the process restrictions when a command is executed.
+    ///
+    /// Uses OS-specific sandboxing tools; Seatbelt on OSX, landlock+seccomp on Linux.
+    #[arg(long = "sandbox", short = 's')]
+    pub sandbox_policy: Option<SandboxModeCliArg>,

    /// Allow running Codex outside a Git repository.
    #[arg(long = "skip-git-repo-check", default_value_t = false)]
@@ -35,4 +34,12 @@ pub struct Cli {
    /// Disable server‑side response storage (sends the full conversation context with every request)
    #[arg(long = "disable-response-storage", default_value_t = false)]
    pub disable_response_storage: bool,
+
+    /// Convenience alias for low-friction sandboxed automatic execution (-a on-failure, -s network-and-file-write-restricted)
+    #[arg(long = "full-auto", default_value_t = true)]
+    pub full_auto: bool,
+
+    /// Convenience alias for supervised sandboxed execution (-a unless-allow-listed, -s network-and-file-write-restricted)
+    #[arg(long = "suggest", default_value_t = false)]
+    pub suggest: bool,
 }
--- a/codex-rs/tui/src/lib.rs
+++ b/codex-rs/tui/src/lib.rs
@@ -6,8 +6,6 @@
 use app::App;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
-use codex_core::protocol::AskForApproval;
-use codex_core::protocol::SandboxPolicy;
 use codex_core::util::is_inside_git_repo;
 use log_layer::TuiLogLayer;
 use std::fs::OpenOptions;
@@ -35,22 +33,12 @@ pub use cli::Cli;
 pub fn run_main(cli: Cli) -> std::io::Result<()> {
    assert_env_var_set();

-    let (sandbox_policy, approval_policy) = if cli.full_auto {
-        (
-            Some(SandboxPolicy::new_full_auto_policy()),
-            Some(AskForApproval::OnFailure),
-        )
-    } else {
-        let sandbox_policy = cli.sandbox.permissions.clone().map(Into::into);
-        (sandbox_policy, cli.approval_policy.map(Into::into))
-    };
-
    let config = {
        // Load configuration and support CLI overrides.
        let overrides = ConfigOverrides {
            model: cli.model.clone(),
-            approval_policy,
-            sandbox_policy,
+            approval_policy: cli.approval_policy.map(Into::into),
+            sandbox_policy: cli.sandbox_policy.map(Into::into),
            disable_response_storage: if cli.disable_response_storage {
                Some(true)
            } else {
--- a/scripts/release_codex.py
+++ b/scripts/release_codex.py
@@ -1,152 +0,0 @@
-#!/usr/bin/env python3
-"""
-Automate the release procedure documented in `../README.md → Releasing codex`.
-
-Run this script from the repository *root*:
-
-```bash
-python release_codex.py
-```
-
-It performs the same steps that the README lists manually:
-
-1. Create and switch to a `bump-version-<timestamp>` branch.
-2. Bump the timestamp-based version in `codex-cli/package.json` **and**
-   `codex-cli/src/utils/session.ts`.
-3. Commit with a DCO sign-off.
-4. Copy the top-level `README.md` into `codex-cli/` (npm consumers see it).
-5. Run `pnpm release` (copies README again, builds, publishes to npm).
-6. Push the branch so you can open a PR that merges the version bump.
-
-The current directory can live anywhere; all paths are resolved relative to
-this file so moving it elsewhere (e.g. into `scripts/`) still works.
-"""
-
-from __future__ import annotations
-
-import datetime as _dt
-import json as _json
-import os
-import re
-import shutil
-import subprocess as _sp
-import sys
-from pathlib import Path
-
-# ---------------------------------------------------------------------------
-# Paths
-# ---------------------------------------------------------------------------
-
-#   repo-root/
-#   ├── codex-cli/
-#   ├── scripts/       <-- you are here
-#   └── README.md
-
-REPO_ROOT = Path(__file__).resolve().parent.parent
-CODEX_CLI = REPO_ROOT / "codex-cli"
-PKG_JSON = CODEX_CLI / "package.json"
-SESSION_TS = CODEX_CLI / "src" / "utils" / "session.ts"
-README_SRC = REPO_ROOT / "README.md"
-README_DST = CODEX_CLI / "README.md"
-
-
-# ---------------------------------------------------------------------------
-# Helpers
-# ---------------------------------------------------------------------------
-
-
-def sh(cmd: list[str] | str, *, cwd: Path | None = None) -> None:
-    """Run *cmd* printing it first and exit on non-zero status."""
-
-    if isinstance(cmd, list):
-        printable = " ".join(cmd)
-    else:
-        printable = cmd
-
-    print("+", printable)
-
-    _sp.run(cmd, cwd=cwd, shell=isinstance(cmd, str), check=True)
-
-
-def _new_version() -> str:
-    """Return a new timestamp version string such as `0.1.2504301234`."""
-
-    return "0.1." + _dt.datetime.utcnow().strftime("%y%m%d%H%M")
-
-
-def bump_version() -> str:
-    """Update package.json and session.ts, returning the new version."""
-
-    new_ver = _new_version()
-
-    # ---- package.json
-    data = _json.loads(PKG_JSON.read_text())
-    old_ver = data.get("version", "<unknown>")
-    data["version"] = new_ver
-    PKG_JSON.write_text(_json.dumps(data, indent=2) + "\n")
-
-    # ---- session.ts
-    pattern = r'CLI_VERSION = "0\\.1\\.\\d{10}"'
-    repl = f'CLI_VERSION = "{new_ver}"'
-    _text = SESSION_TS.read_text()
-    if re.search(pattern, _text):
-        SESSION_TS.write_text(re.sub(pattern, repl, _text))
-    else:
-        print(
-            "WARNING: CLI_VERSION constant not found – file format may have changed",
-            file=sys.stderr,
-        )
-
-    print(f"Version bump: {old_ver} → {new_ver}")
-    return new_ver
-
-
-# ---------------------------------------------------------------------------
-# Main
-# ---------------------------------------------------------------------------
-
-
-def main() -> None:  # noqa: C901 – readable top-level flow is desired
-    # Ensure we can locate required files.
-    for p in (CODEX_CLI, PKG_JSON, SESSION_TS, README_SRC):
-        if not p.exists():
-            sys.exit(f"Required path missing: {p.relative_to(REPO_ROOT)}")
-
-    os.chdir(REPO_ROOT)
-
-    # ------------------------------- create release branch
-    branch = "bump-version-" + _dt.datetime.utcnow().strftime("%Y%m%d-%H%M")
-    sh(["git", "checkout", "-b", branch])
-
-    # ------------------------------- bump version + commit
-    new_ver = bump_version()
-    sh(
-        [
-            "git",
-            "add",
-            str(PKG_JSON.relative_to(REPO_ROOT)),
-            str(SESSION_TS.relative_to(REPO_ROOT)),
-        ]
-    )
-    sh(["git", "commit", "-s", "-m", f"chore(release): codex-cli v{new_ver}"])
-
-    # ------------------------------- copy README (shown on npmjs.com)
-    shutil.copyfile(README_SRC, README_DST)
-
-    # ------------------------------- build + publish via pnpm script
-    sh(["pnpm", "install"], cwd=CODEX_CLI)
-    sh(["pnpm", "release"], cwd=CODEX_CLI)
-
-    # ------------------------------- push branch
-    sh(["git", "push", "-u", "origin", branch])
-
-    print("\n✅  Release script finished!")
-    print(f"   • npm publish run by pnpm script (branch: {branch})")
-    print("   • Open a PR to merge the version bump once CI passes.")
-
-
-if __name__ == "__main__":
-    try:
-        main()
-    except KeyboardInterrupt:
-        sys.exit("\nCancelled by user")
Author	SHA1	Message	Date
Tiffany Citra	980778f529	Fix sandbox retry approvals	2025-10-15 17:04:10 -07:00
Kevin Alwell	6e7d4a4b45	Should fix #751 by adding verbose error message.	2025-04-30 14:55:15 -04:00
Kevin Alwell	841e19b05d	fix typescript error	2025-04-29 12:43:52 -04:00
Kevin Alwell	f466a73428	Omit default to fix type errors	2025-04-29 12:30:19 -04:00
Kevin Alwell	1a868d35f3	fix typecheck error	2025-04-29 12:22:41 -04:00
Kevin Alwell	9c563054e0	TypeScript bug bashing	2025-04-29 12:17:31 -04:00
Kevin Alwell	ca7204537c	TypeScript bug bashing	2025-04-29 12:14:46 -04:00
Kevin Alwell	132e87cc8c	TypeScript bug bashing	2025-04-29 12:13:38 -04:00
Kevin Alwell	8e80716169	fix tests	2025-04-29 12:10:54 -04:00
Kevin Alwell	d28aedb07b	fix pipeline errors	2025-04-29 12:05:16 -04:00
Kevin Alwell	586ee0ec71	Merge branch 'main' into issue-726	2025-04-29 11:54:34 -04:00
Kevin Alwell	9065e61455	Ensure disableResponseStorage flag is respected	2025-04-29 11:48:47 -04:00
Kevin Alwell	6686f28338	Ensure disableResponseStorage flag is respected	2025-04-29 11:25:07 -04:00
Kevin Alwell	3818df7ba4	Fixes issue #726 by adding config to configToSave object	2025-04-29 10:12:55 -04:00