mirror of
https://github.com/openai/codex.git
synced 2026-04-25 23:24:55 +00:00
3c1adbabcd
## Summary Fix network proxy sessions so changing sandbox mode recomputes the effective managed network policy and applies it to the already-running per-session proxy. ## Root Cause `danger_full_access_denylist_only` injects `"*"` only while building the proxy spec for Full Access. Sessions built that spec once at startup, so a later permission switch to Full Access left the live proxy in its original restricted policy. Switching back needed the same recompute path to remove the synthetic wildcard again. ## What Changed - Preserve the original managed network proxy config/requirements so the effective spec can be recomputed for a new sandbox policy. - Refresh the current session proxy when sandbox settings change, then reapply exec-policy network overlays. - Add an in-place proxy state update path while rejecting listener/port/SOCKS changes that cannot be hot-reloaded. - Keep runtime proxy settings cheap to snapshot and update. - Add regression coverage for workspace-write -> Full Access -> workspace-write.