viyatb-oai a27d3847b5 [codex] Reject read-only fallback with approvals disabled (#23774) ...

## Why

If a user configures `approval_policy = "never"` with `sandbox_mode =
"danger-full-access"`, managed requirements can reject full access and
force the existing permission fallback to read-only. That leaves Codex
in a dead-end session: writes are blocked by the sandbox, while
approvals are disabled so the session cannot ask to proceed.

This PR rejects that constrained configuration during startup instead of
letting the TUI enter a read-only session that cannot make progress. The
rejection is attached to the requirement-constrained permission path in
[`Config`](39f0abc0a7/codex-rs/core/src/config/mod.rs (L3301-L3318)).

## What changed

- Reject the `danger-full-access` to read-only managed-requirements
fallback when the effective approval policy is `never`.
- Explain in the startup config error why the fallback is invalid and
how to fix it.
- Add a regression test for the managed requirements path.

2026-05-20 17:17:59 -07:00

..

common

Honor client-resolved service tier defaults (#23537)

2026-05-20 15:57:50 -07:00

suite

[codex] Reject read-only fallback with approvals disabled (#23774)

2026-05-20 17:17:59 -07:00

all.rs

fix: separate codex mcp into codex mcp-server and codex app-server (#4471)

2025-09-30 07:06:18 +00:00