core: widen sandbox to allow certificate ops when network is enabled (#5980)

This allows `gh api` to work in the workspace-write sandbox w/ network enabled. Without this we see e.g. ``` $ codex debug seatbelt --full-auto gh api repos/openai/codex/pulls --paginate -X GET -F state=all Get "https://api.github.com/repos/openai/codex/pulls?per_page=100&state=all": tls: failed to verify certificate: x509: OSStatus -26276 ```
2025-11-06 12:47:20 -08:00
parent fe7eb18104
commit 8501b0b768
5 changed files with 112 additions and 22 deletions
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -313,6 +313,10 @@ pub(crate) mod errors {
                SandboxTransformError::MissingLinuxSandboxExecutable => {
                    CodexErr::LandlockSandboxExecutableNotProvided
                }
+                #[cfg(not(target_os = "macos"))]
+                SandboxTransformError::SeatbeltUnavailable => CodexErr::UnsupportedOperation(
+                    "seatbelt sandbox is only available on macOS".to_string(),
+                ),
            }
        }
    }