mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
Add allow_managed_hooks_only hook requirement (#20319)
## Why Enterprise-managed hook policy needs a narrow way to require Codex to ignore user-controlled lifecycle hooks without adopting the broader trust-precedence model from earlier hook work. This keeps the policy anchored in `requirements.toml`, so admins can opt into managed hooks only while normal `config.toml` files cannot enable the restriction themselves. ## What changed - Added `allow_managed_hooks_only` to the requirements data flow and preserved explicit `false` values. - Also adds it to /debug-config - Marked MDM, system, and legacy managed config layers as managed for hook discovery. - Updated hook discovery so `allow_managed_hooks_only = true`: - keeps managed requirements hooks and managed config-layer hooks, - skips user/project/session `hooks.json` and `[hooks]` entries with concise startup warnings, - skips current unmanaged plugin hooks, - ignores any `allow_managed_hooks_only` key placed in ordinary `config.toml` layers.
This commit is contained in:
committed by
GitHub
Unverified
parent
fbfbfe5fc5
commit
913aad4d3c
@@ -5,3 +5,11 @@ For basic configuration instructions, see [this documentation](https://developer
|
||||
For advanced configuration instructions, see [this documentation](https://developers.openai.com/codex/config-advanced).
|
||||
|
||||
For a full configuration reference, see [this documentation](https://developers.openai.com/codex/config-reference).
|
||||
|
||||
## Lifecycle hooks
|
||||
|
||||
Admins can set top-level `allow_managed_hooks_only = true` in
|
||||
`requirements.toml` to ignore user, project, and session hook configs while
|
||||
still allowing managed hooks from requirements and managed config layers. This
|
||||
setting is only supported in `requirements.toml`; putting it in `config.toml`
|
||||
does not enable managed-hooks-only mode.
|
||||
|
||||
Reference in New Issue
Block a user