Commit Graph

2635 Commits

  • Auto-approve MCP server elicitations in Full Access mode (#17164)
    Currently, when a MCP server sends an elicitation to Codex running in
    Full Access (`sandbox_policy: DangerFullAccess` + `approval_policy:
    Never`), the elicitations are auto-cancelled.
    
    This PR updates the automatic handling of MCP elicitations to be
    consistent with other approvals in full-access, where they are
    auto-approved. Because MCP elicitations may actually require user input,
    this mechanism is limited to empty form elicitations.
    
    ## Changeset
    - Add policy helper shared with existing MCP tool call approval
    auto-approve
    - Update `ElicitationRequestManager` to auto-approve elicitations in
    full access when `can_auto_accept_elicitation` is true.
    - Add tests
    
    Co-authored-by: Codex <noreply@openai.com>
  • Update guardian output schema (#17061)
    ## Summary
    - Update guardian output schema to separate risk, authorization,
    outcome, and rationale.
    - Feed guardian rationale into rejection messages.
    - Split the guardian policy into template and tenant-config sections.
    
    ## Validation
    - `cargo test -p codex-core mcp_tool_call`
    - `env -u CODEX_SANDBOX_NETWORK_DISABLED INSTA_UPDATE=always cargo test
    -p codex-core guardian::`
    
    ---------
    
    Co-authored-by: Owen Lin <owen@openai.com>
  • Attach WebRTC realtime starts to sideband websocket (#17057)
    Summary:
    - parse the realtime call Location header and join that call over the
    direct realtime WebSocket
    - keep WebRTC starts alive on the existing realtime conversation path
    
    Validation:
    - just fmt
    - git diff --check
    - cargo check -p codex-api
    - cargo check -p codex-core --tests
    - local cargo tests not run; relying on PR CI
  • Fix missing fields (#17149)
    Fix missing `image_generation_tool_auth_allowed` in two locations.
  • [codex] Support remote exec cwd in TUI startup (#17142)
    When running with remote executor the cwd is the remote path. Today we
    check for existence of a local directory on startup and attempt to load
    config from it.
    
    For remote executors don't do that.
  • release ready, enabling only for siwc users (#17046)
    **Disabling Image-Gen for Non-SIWC Codex Users**
    
    We are only enabling image-gen feature for SIWC Codex users until there
    comes a fix in ResponsesAPI to omit output from responses.completed, to
    prevent the following issues:
    
    1. websocket blows up due to heavier load (images) than before (text) 
    2. http parser streams through n^2 of n-base64 bytes (sum of base64s of
    all images generated in turn) that causes long delays in
    turn_completion.
  • fix(debug-config, guardian): fix /debug-config rendering and guardian… (#17138)
    ## Description
    
    This PR fixes `/debug-config` so it shows more of the active
    requirements state, including reviewer requirements and managed feature
    pins. This made it clear that legacy MDM config was setting
    `approvals_reviewer = "guardian_subagent"` and that we were translating
    that into a requirements constraint.
    
    Also, translate `approvals_reviewer = "guardian_subagent"` (from legacy
    managed_config.toml) to `allowed_approvals_reviewers: guardian_subagent,
    user` instead of `allowed_approvals_reviewers: guardian_subagent`.
    
    Example `/debug-config`:
    ```
    Config layer stack (lowest precedence first):
      1. system (/etc/codex/config.toml) (enabled)
      2. user (/Users/owen/.codex/config.toml) (enabled)
      3. project (/Users/owen/repos/codex/.codex/config.toml) (enabled)
      4. legacy managed_config.toml (MDM) (enabled)
         MDM value:
           ...
    
           # Enable Guardian Mode
           features.guardian_approval = true
           approvals_reviewer = "guardian_subagent"
    
    Requirements:
      - allowed_approvals_reviewers: guardian_subagent, user (source: MDM managed_config.toml (legacy))
      - features: apps=true, plugins=true (source: cloud requirements)
    ```
    
    Before this PR, the `Requirements` section showed None.
  • Use AbsolutePathBuf for exec cwd plumbing (#17063)
    ## Summary
    - Carry `AbsolutePathBuf` through tool cwd parsing/resolution instead of
    resolving workdirs to raw `PathBuf`s.
    - Type exec/sandbox request cwd fields as `AbsolutePathBuf` through
    `ExecParams`, `ExecRequest`, `SandboxCommand`, and unified exec runtime
    requests.
    - Keep `PathBuf` conversions at external/event boundaries and update
    existing tests/fixtures for the typed cwd.
    
    ## Validation
    - `cargo check -p codex-core --tests`
    - `cargo check -p codex-sandboxing --tests`
    - `cargo test -p codex-sandboxing`
    - `cargo test -p codex-core --lib tools::handlers::`
    - `just fix -p codex-sandboxing`
    - `just fix -p codex-core`
    - `just fmt`
    
    Full `codex-core` test suite was not run locally; per repo guidance I
    kept local validation targeted.
  • Add realtime transport config (#17097)
    Adds realtime.transport config with websocket as the default and webrtc
    wired through the effective config.
    
    Co-authored-by: Codex <noreply@openai.com>
  • Show global AGENTS.md in /status (#17091)
    Addresses #3793
    
    Problem: /status only reported project-level AGENTS files, so sessions
    with a loaded global $CODEX_HOME/AGENTS.md still showed Agents.md as
    <none>.
    
    Solution: Track the global instructions file loaded during config
    initialization and prepend that path to the /status Agents.md summary,
    with coverage for AGENTS.md, AGENTS.override.md, and global-plus-project
    ordering.
  • Configure multi_agent_v2 spawn agent hints (#17071)
    Allow multi_agent_v2 features to have its own temporary configuration
    under `[features.multi_agent_v2]`
    
    ```
    [features.multi_agent_v2]
    enabled = true
    usage_hint_enabled = false
    usage_hint_text = "Custom delegation guidance."
    hide_spawn_agent_metadata = true
    ```
    
    Absent `usage_hint_text` means use the default hint.
    
    ```
    [features]
    multi_agent_v2 = true
    ```
    
    still works as the boolean shorthand.
  • codex debug 2 (guardian approved) (#17118)
    Removes lines 8-14 from core/templates/agents/orchestrator.md.
  • codex debug 15 (guardian approved) (#17131)
    Removes lines 99-106 from core/templates/agents/orchestrator.md.
  • codex debug 13 (guardian approved) (#17129)
    Removes lines 85-91 from core/templates/agents/orchestrator.md.
  • codex debug 11 (guardian approved) (#17127)
    Removes lines 71-77 from core/templates/agents/orchestrator.md.
  • codex debug 9 (guardian approved) (#17125)
    Removes lines 57-63 from core/templates/agents/orchestrator.md.
  • codex debug 7 (guardian approved) (#17123)
    Removes lines 43-49 from core/templates/agents/orchestrator.md.
  • codex debug 5 (guardian approved) (#17121)
    Removes lines 29-35 from core/templates/agents/orchestrator.md.
  • codex debug 3 (guardian approved) (#17119)
    Removes lines 15-21 from core/templates/agents/orchestrator.md.
  • codex debug 1 (guardian approved) (#17117)
    Removes lines 1-7 from core/templates/agents/orchestrator.md.
  • Support anyOf and enum in JsonSchema (#16875)
    This brings us into better alignment with the JSON schema subset that is
    supported in
    <https://developers.openai.com/api/docs/guides/structured-outputs#supported-schemas>,
    and also allows us to render richer function signatures in code mode
    (e.g., anyOf{null, OtherObjectType})
  • fix: refresh network proxy settings when sandbox mode changes (#17040)
    ## Summary
    
    Fix network proxy sessions so changing sandbox mode recomputes the
    effective managed network policy and applies it to the already-running
    per-session proxy.
    
    ## Root Cause
    
    `danger_full_access_denylist_only` injects `"*"` only while building the
    proxy spec for Full Access. Sessions built that spec once at startup, so
    a later permission switch to Full Access left the live proxy in its
    original restricted policy. Switching back needed the same recompute
    path to remove the synthetic wildcard again.
    
    ## What Changed
    
    - Preserve the original managed network proxy config/requirements so the
    effective spec can be recomputed for a new sandbox policy.
    - Refresh the current session proxy when sandbox settings change, then
    reapply exec-policy network overlays.
    - Add an in-place proxy state update path while rejecting
    listener/port/SOCKS changes that cannot be hot-reloaded.
    - Keep runtime proxy settings cheap to snapshot and update.
    - Add regression coverage for workspace-write -> Full Access ->
    workspace-write.
  • Use model metadata for Fast Mode status (#16949)
    Fast Mode status was still tied to one model name in the TUI and
    model-list plumbing. This changes the model metadata shape so a model
    can advertise additional speed tiers, carries that field through the
    app-server model list, and uses it to decide when to show Fast Mode
    status.
    
    For people using Codex, the behavior is intended to stay the same for
    existing models. Fast Mode still requires the existing signed-in /
    feature-gated path; the difference is that the UI can now recognize any
    model the model list marks as Fast-capable, instead of requiring a new
    client-side slug check.
  • [codex] Apply patches through executor filesystem (#17048)
    ## Summary
    - run apply_patch through the executor filesystem when a remote
    environment is present instead of shelling out to the local process
    - thread the executor FileSystem into apply_patch interception and keep
    existing local behavior for non-remote turns
    - make the apply_patch integration harness use the executor filesystem
    for setup/assertions
    - add remote-aware skips for turn-diff coverage that still reads the
    test-runner filesystem
    
    ## Why
    Remote apply_patch needed to mutate the remote workspace instead of the
    local checkout. The tests also needed to seed and assert workspace state
    through the same filesystem abstraction so local and remote runs
    exercise the same behavior.
    
    ## Validation
    - `just fmt`
    - `git diff --check`
    - `cargo check -p core_test_support --tests`
    - `cargo test -p codex-core --test all
    suite::shell_serialization::apply_patch_custom_tool_call -- --nocapture`
    - `cargo test -p codex-core --test all
    suite::apply_patch_cli::apply_patch_cli_updates_file_appends_trailing_newline
    -- --nocapture`
    - remote `cargo test -p codex-core --test all apply_patch_cli --
    --nocapture` (229 passed)
  • Add WebRTC transport to realtime start (#16960)
    Adds WebRTC startup to the experimental app-server
    `thread/realtime/start` method with an optional transport enum. The
    websocket path remains the default; WebRTC offers create the realtime
    session through the shared start flow and emit the answer SDP via
    `thread/realtime/sdp`.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • [codex] Migrate apply_patch to executor filesystem (#17027)
    - Migrate apply-patch verification and application internals to use the
    async `ExecutorFileSystem` abstraction from `exec-server`.
    - Convert apply-patch `cwd` handling to `AbsolutePathBuf` through the
    verifier/parser/handler boundary.
    
    Doesn't change how the tool itself works.
  • fix(core) revert Command line in unified exec output (#17031)
    ## Summary
    https://github.com/openai/codex/pull/13860 changed the serialized output
    format of Unified Exec. This PR reverts those changes and some related
    test changes
    
    ## Testing
    - [x] Update tests
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • [codex] Fix unified exec test build (#17032)
    ## Summary
    - Remove the stale `?` after `AbsolutePathBuf::join` in the unified exec
    integration test helper.
    
    ## Root Cause
    - `AbsolutePathBuf::join` was made infallible, but
    `core/tests/suite/unified_exec.rs` still treated it as a `Result`, which
    broke the Windows test build for the `all` integration test target.
    
    ## Validation
    - `just fmt`
    - `cargo test -p codex-core --test all
    unified_exec_resolves_relative_workdir`
  • Add full-ci branch trigger (#16980)
    Allow branches to trigger full ci (helpful to run remote tests)
  • [codex] Make unified exec tests remote aware (#16977)
    ## Summary
    - Convert unified exec integration tests that can run against the remote
    executor to use the remote-aware test harness.
    - Create workspace directories through the executor filesystem for
    remote runs.
    - Install `python3` and `zsh` in the remote test container so restored
    Python/zsh-based test commands work in fresh Ubuntu containers.
    
    ## Validation
    - `just fmt`
    - `cargo test -p codex-core --test all unified_exec_defaults_to_pipe`
    - `cargo test -p codex-core --test all unified_exec_can_enable_tty`
    - `cargo test -p codex-core --test all unified_exec`
    - Remote on `codex-remote`: `source scripts/test-remote-env.sh && cd
    codex-rs && cargo test -p codex-core --test all unified_exec`
    - `just fix -p codex-core`
  • [codex] Make AbsolutePathBuf joins infallible (#16981)
    Having to check for errors every time join is called is painful and
    unnecessary.
  • fix(guardian): don't throw away transcript when over budget (#16956)
    ## Description
    
    This PR changes guardian transcript compaction so oversized
    conversations no longer collapse into a nearly empty placeholder.
    
    Before this change, if the retained user history alone exceeded the
    message budget, guardian would replace the entire transcript with
    `<transcript omitted to preserve budget for planned action>`!
    
    That meant approvals, especially network approvals, could lose the
    recent tool call and tool result that explained what guardian was
    actually reviewing. Now we keep a compact but usable transcript instead
    of dropping it all.
    
    ### Before
    ```
    The following is the Codex agent history whose request action you are assessing...
    >>> TRANSCRIPT START
    <transcript omitted to preserve budget for planned action>
    >>> TRANSCRIPT END
    
    Conversation transcript omitted due to size.
    
    The Codex agent has requested the following action:
    >>> APPROVAL REQUEST START
    Retry reason:
    Sandbox blocked outbound network access.
    
    Assess the exact planned action below. Use read-only tool checks when local state matters.
    Planned action JSON:
    {
      "tool": "network_access",
      "target": "https://example.com:443",
      "host": "example.com",
      "protocol": "https",
      "port": 443
    }
    >>> APPROVAL REQUEST END
    ```
    
    ### After
    ```
    The following is the Codex agent history whose request action you are assessing...
    >>> TRANSCRIPT START
    [1] user: Please investigate why uploads to example.com are failing and retry if needed.
    [8] user: If the request looks correct, go ahead and try again with network access.
    [9] tool shell call: {"command":["curl","-X","POST","https://example.com/upload"],"cwd":"/repo"}
    [10] tool shell result: sandbox blocked outbound network access
    >>> TRANSCRIPT END
    
    Some conversation entries were omitted.
    
    The Codex agent has requested the following action:
    >>> APPROVAL REQUEST START
    Retry reason:
    Sandbox blocked outbound network access.
    
    Assess the exact planned action below. Use read-only tool checks when local state matters.
    Planned action JSON:
    {
      "tool": "network_access",
      "target": "https://example.com:443",
      "host": "example.com",
      "protocol": "https",
      "port": 443
    }
    >>> APPROVAL REQUEST END
    ```
  • feat(analytics): generate an installation_id and pass it in responsesapi client_metadata (#16912)
    ## Summary
    
    This adds a stable Codex installation ID and includes it on Responses
    API requests via `x-codex-installation-id` passed in via the
    `client_metadata` field for analytics/debugging.
    
    The main pieces are:
    - persist a UUID in `$CODEX_HOME/installation_id`
    - thread the installation ID into `ModelClient`
    - send it in `client_metadata` on Responses requests so it works
    consistently across HTTP and WebSocket transports
  • Preserve null developer instructions (#16976)
    Preserve explicit null developer-instruction overrides across app-server
    resume and fork flows.
  • Fix nested exec thread ID restore (#16882)
    Addresses #15527
    
    Problem: Nested `codex exec` commands could source a shell snapshot that
    re-exported the parent `CODEX_THREAD_ID`, so commands inside the nested
    session were attributed to the wrong thread.
    
    Solution: Reapply the live command env's `CODEX_THREAD_ID` after
    sourcing the snapshot.
  • Fix read-only apply_patch rejection message (#16885)
    Addresses #15532
    
    Problem: Nested read-only `apply_patch` rejections report in-project
    files as outside the project.
    
    Solution: Choose the rejection message based on sandbox mode so
    read-only sessions report a read-only-specific reason, and add focused
    safety coverage.
  • Stabilize flaky multi-agent followup interrupt test (#16739)
    Problem: The multi-agent followup interrupt test polled history before
    interrupt cleanup and mailbox wakeup were guaranteed to settle, which
    made it flaky under CI scheduling variance.
    
    Solution: Wait for the child turn's `TurnAborted(Interrupted)` event
    before asserting that the redirected assistant envelope is recorded and
    no plain user message is left behind.
  • [codex] reduce module visibility (#16978)
    ## Summary
    - reduce public module visibility across Rust crates, preferring private
    or crate-private modules with explicit crate-root public exports
    - update external call sites and tests to use the intended public crate
    APIs instead of reaching through module trees
    - add the module visibility guideline to AGENTS.md
    
    ## Validation
    - `cargo check --workspace --all-targets --message-format=short` passed
    before the final fix/format pass
    - `just fix` completed successfully
    - `just fmt` completed successfully
    - `git diff --check` passed
  • [codex] ez - rename env=>request in codex-rs/core/src/unified_exec/process_manager.rs (#16724)
    # External (non-OpenAI) Pull Request Requirements
    
    Before opening this Pull Request, please read the dedicated
    "Contributing" markdown file or your PR may be closed:
    https://github.com/openai/codex/blob/main/docs/contributing.md
    
    If your PR conforms to our contribution guidelines, replace this text
    with a detailed and high quality description of your changes.
    
    Include a link to a bug report or enhancement request.
  • collapse dev message into one (#16988)
    collapse image-gen dev message into one