feat: add support for --sandbox flag (#1476)

On a high-level, we try to design `config.toml` so that you don't have to "comment out a lot of stuff" when testing different options. Previously, defining a sandbox policy was somewhat at odds with this principle because you would define the policy as attributes of `[sandbox]` like so: ```toml [sandbox] mode = "workspace-write" writable_roots = [ "/tmp" ] ``` but if you wanted to temporarily change to a read-only sandbox, you might feel compelled to modify your file to be: ```toml [sandbox] mode = "read-only" # mode = "workspace-write" # writable_roots = [ "/tmp" ] ``` Technically, commenting out `writable_roots` would not be strictly necessary, as `mode = "read-only"` would ignore `writable_roots`, but it's still a reasonable thing to do to keep things tidy. Currently, the various values for `mode` do not support that many attributes, so this is not that hard to maintain, but one could imagine this becoming more complex in the future. In this PR, we change Codex CLI so that it no longer recognizes `[sandbox]`. Instead, it introduces a top-level option, `sandbox_mode`, and `[sandbox_workspace_write]` is used to further configure the sandbox when when `sandbox_mode = "workspace-write"` is used: ```toml sandbox_mode = "workspace-write" [sandbox_workspace_write] writable_roots = [ "/tmp" ] ``` This feels a bit more future-proof in that it is less tedious to configure different sandboxes: ```toml sandbox_mode = "workspace-write" [sandbox_read_only] # read-only options here... [sandbox_workspace_write] writable_roots = [ "/tmp" ] [sandbox_danger_full_access] # danger-full-access options here... ``` In this scheme, you never need to comment out the configuration for an individual sandbox type: you only need to redefine `sandbox_mode`. Relatedly, previous to this change, a user had to do `-c sandbox.mode=read-only` to change the mode on the command line. With this change, things are arguably a bit cleaner because the equivalent option is `-c sandbox_mode=read-only` (and now `-c sandbox_workspace_write=...` can be set separately). Though more importantly, we introduce the `-s/--sandbox` option to the CLI, which maps directly to `sandbox_mode` in `config.toml`, making config override behavior easier to reason about. Moreover, as you can see in the updates to the various Markdown files, it is much easier to explain how to configure sandboxing when things like `--sandbox read-only` can be used as an example. Relatedly, this cleanup also made it straightforward to add support for a `sandbox` option for Codex when used as an MCP server (see the changes to `mcp-server/src/codex_tool_config.rs`). Fixes https://github.com/openai/codex/issues/1248.
2025-07-07 22:31:30 -07:00
parent 0a44c42533
commit e0c08cea4f
13 changed files with 233 additions and 77 deletions
--- a/codex-rs/mcp-server/src/codex_tool_config.rs
+++ b/codex-rs/mcp-server/src/codex_tool_config.rs
@@ -1,5 +1,6 @@
 //! Configuration object accepted by the `codex` MCP tool-call.

+use codex_core::config_types::SandboxMode;
 use codex_core::protocol::AskForApproval;
 use mcp_types::Tool;
 use mcp_types::ToolInputSchema;
@@ -31,19 +32,23 @@ pub(crate) struct CodexToolCallParam {
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub cwd: Option<String>,

-    /// Execution approval policy expressed as the kebab-case variant name
-    /// (`unless-allow-listed`, `auto-edit`, `on-failure`, `never`).
+    /// Approval policy for shell commands generated by the model:
+    /// `untrusted`, `on-failure`, `never`.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub approval_policy: Option<CodexToolCallApprovalPolicy>,

+    /// Sandbox mode: `read-only`, `workspace-write`, or `danger-full-access`.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub sandbox: Option<CodexToolCallSandboxMode>,
+
    /// Individual config settings that will override what is in
    /// CODEX_HOME/config.toml.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub config: Option<HashMap<String, serde_json::Value>>,
 }

-// Custom enum mirroring `AskForApproval`, but constrained to the subset we
-// expose via the tool-call schema.
+/// Custom enum mirroring [`AskForApproval`], but has an extra dependency on
+/// [`JsonSchema`].
 #[derive(Debug, Clone, Deserialize, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub(crate) enum CodexToolCallApprovalPolicy {
@@ -62,6 +67,26 @@ impl From<CodexToolCallApprovalPolicy> for AskForApproval {
    }
 }

+/// Custom enum mirroring [`SandboxMode`] from config_types.rs, but with
+/// `JsonSchema` support.
+#[derive(Debug, Clone, Deserialize, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub(crate) enum CodexToolCallSandboxMode {
+    ReadOnly,
+    WorkspaceWrite,
+    DangerFullAccess,
+}
+
+impl From<CodexToolCallSandboxMode> for SandboxMode {
+    fn from(value: CodexToolCallSandboxMode) -> Self {
+        match value {
+            CodexToolCallSandboxMode::ReadOnly => SandboxMode::ReadOnly,
+            CodexToolCallSandboxMode::WorkspaceWrite => SandboxMode::WorkspaceWrite,
+            CodexToolCallSandboxMode::DangerFullAccess => SandboxMode::DangerFullAccess,
+        }
+    }
+}
+
 /// Builds a `Tool` definition (JSON schema etc.) for the Codex tool-call.
 pub(crate) fn create_tool_for_codex_tool_call_param() -> Tool {
    let schema = SchemaSettings::draft2019_09()
@@ -104,6 +129,7 @@ impl CodexToolCallParam {
            profile,
            cwd,
            approval_policy,
+            sandbox,
            config: cli_overrides,
        } = self;

@@ -113,9 +139,7 @@ impl CodexToolCallParam {
            config_profile: profile,
            cwd: cwd.map(PathBuf::from),
            approval_policy: approval_policy.map(Into::into),
-            // Note we may want to expose a field on CodexToolCallParam to
-            // facilitate configuring the sandbox policy.
-            sandbox_policy: None,
+            sandbox_mode: sandbox.map(Into::into),
            model_provider: None,
            codex_linux_sandbox_exe,
        };
@@ -160,7 +184,7 @@ mod tests {
            "type": "object",
            "properties": {
              "approval-policy": {
-                "description": "Execution approval policy expressed as the kebab-case variant name (`unless-allow-listed`, `auto-edit`, `on-failure`, `never`).",
+                "description": "Approval policy for shell commands generated by the model: `untrusted`, `on-failure`, `never`.",
                "enum": [
                  "untrusted",
                  "on-failure",
@@ -168,6 +192,15 @@ mod tests {
                ],
                "type": "string"
              },
+              "sandbox": {
+                "description": "Sandbox mode: `read-only`, `workspace-write`, or `danger-full-access`.",
+                "enum": [
+                  "read-only",
+                  "workspace-write",
+                  "danger-full-access"
+                ],
+                "type": "string"
+              },
              "config": {
                "description": "Individual config settings that will override what is in CODEX_HOME/config.toml.",
                "additionalProperties": true,