From 41560604169ce3dd4ba4874f9f852968bfc4cdf1 Mon Sep 17 00:00:00 2001 From: gt-oai Date: Thu, 8 Jan 2026 19:27:46 +0000 Subject: [PATCH] Add `read-only` when backfilling requirements from managed_config (#8913) When a user has a managed_config which doesn't specify read-only, Codex fails to launch. --- codex-rs/core/src/config_loader/mod.rs | 27 +++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/codex-rs/core/src/config_loader/mod.rs b/codex-rs/core/src/config_loader/mod.rs index 9cc437d1f..1710ec12c 100644 --- a/codex-rs/core/src/config_loader/mod.rs +++ b/codex-rs/core/src/config_loader/mod.rs @@ -574,7 +574,14 @@ impl From for ConfigRequirementsToml { config_requirements_toml.allowed_approval_policies = Some(vec![approval_policy]); } if let Some(sandbox_mode) = sandbox_mode { - config_requirements_toml.allowed_sandbox_modes = Some(vec![sandbox_mode.into()]); + let required_mode: SandboxModeRequirement = sandbox_mode.into(); + // Allowing read-only is a requirement for Codex to function correctly. + // So in this backfill path, we append read-only if it's not already specified. + let mut allowed_modes = vec![SandboxModeRequirement::ReadOnly]; + if required_mode != SandboxModeRequirement::ReadOnly { + allowed_modes.push(required_mode); + } + config_requirements_toml.allowed_sandbox_modes = Some(allowed_modes); } config_requirements_toml } @@ -622,4 +629,22 @@ foo = "xyzzy" assert_eq!(normalized_toml_value, TomlValue::Table(expected_toml_value)); Ok(()) } + + #[test] + fn legacy_managed_config_backfill_includes_read_only_sandbox_mode() { + let legacy = LegacyManagedConfigToml { + approval_policy: None, + sandbox_mode: Some(SandboxMode::WorkspaceWrite), + }; + + let requirements = ConfigRequirementsToml::from(legacy); + + assert_eq!( + requirements.allowed_sandbox_modes, + Some(vec![ + SandboxModeRequirement::ReadOnly, + SandboxModeRequirement::WorkspaceWrite + ]) + ); + } }