From a2b9f4600659f9a02b1ddef91af053202eff45c7 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 8 Aug 2025 18:19:40 -0700 Subject: [PATCH] [exec] Fix exec sandbox arg (#2034) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary From codex-cli 😁 `-s/--sandbox` now correctly affects sandbox mode. What changed - In `codex-rs/exec/src/cli.rs`: - Added `value_enum` to the `--sandbox` flag so Clap parses enum values into ` SandboxModeCliArg`. - This ensures values like `-s read-only`, `-s workspace-write`, and `-s dange r-full-access` are recognized and propagated. Why this fixes it - The enum already derives `ValueEnum`, but without `#[arg(value_enum)]` Clap ma y not map the string into the enum, leaving the option ineffective at runtime. W ith `value_enum`, `sandbox_mode` is parsed and then converted to `SandboxMode` i n `run_main`, which feeds into `ConfigOverrides` and ultimately into the effecti ve `sandbox_policy`. --- codex-rs/exec/src/cli.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/codex-rs/exec/src/cli.rs b/codex-rs/exec/src/cli.rs index b6c48b9d..31dd4109 100644 --- a/codex-rs/exec/src/cli.rs +++ b/codex-rs/exec/src/cli.rs @@ -19,7 +19,7 @@ pub struct Cli { /// Select the sandbox policy to use when executing model-generated shell /// commands. - #[arg(long = "sandbox", short = 's')] + #[arg(long = "sandbox", short = 's', value_enum)] pub sandbox_mode: Option, /// Configuration profile from config.toml to specify default options.