feat: add --dangerously-bypass-approvals-and-sandbox (#1384)

This PR reworks `assess_command_safety()` so that the combination of `AskForApproval::Never` and `SandboxPolicy::DangerFullAccess` ensures that commands are run without _any_ sandbox and the user should never be prompted. In turn, it adds support for a new `--dangerously-bypass-approvals-and-sandbox` flag (that cannot be used with `--approval-policy` or `--full-auto`) that sets both of those options. Fixes https://github.com/openai/codex/issues/1254
2025-06-25 12:36:10 -07:00
parent 72082164c1
commit 50924101d2
7 changed files with 91 additions and 33 deletions
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -1371,7 +1371,7 @@ async fn handle_container_exec_with_params(
            }
        }
        Err(CodexErr::Sandbox(error)) => {
-            handle_sanbox_error(error, sandbox_type, params, sess, sub_id, call_id).await
+            handle_sandbox_error(error, sandbox_type, params, sess, sub_id, call_id).await
        }
        Err(e) => {
            // Handle non-sandbox errors
@@ -1386,7 +1386,7 @@ async fn handle_container_exec_with_params(
    }
 }

-async fn handle_sanbox_error(
+async fn handle_sandbox_error(
    error: SandboxErr,
    sandbox_type: SandboxType,
    params: ExecParams,
@@ -1408,7 +1408,14 @@ async fn handle_sanbox_error(
        };
    }

-    // Ask the user to retry without sandbox
+    // Note that when `error` is `SandboxErr::Denied`, it could be a false
+    // positive. That is, it may have exited with a non-zero exit code, not
+    // because the sandbox denied it, but because that is its expected behavior,
+    // i.e., a grep command that did not match anything. Ideally we would
+    // include additional metadata on the command to indicate whether non-zero
+    // exit codes merit a retry.
+
+    // For now, we categorically ask the user to retry without sandbox.
    sess.notify_background_event(&sub_id, format!("Execution failed: {error}"))
        .await;