fix(protocol): approval policy never prompt (#11288)

This removes overly directed language about how the model should behave when it's in `approval_policy=never` mode. --------- Co-authored-by: Dylan Hurd <dylan.hurd@openai.com>
2026-02-10 09:27:46 -08:00 · 2026-02-10 09:27:46 -08:00 · 693bac1851
commit 693bac1851
parent e704f488bd
3 changed files with 7 additions and 5 deletions
--- a/codex-rs/core/tests/suite/prompt_caching.rs
+++ b/codex-rs/core/tests/suite/prompt_caching.rs
@ -551,9 +551,11 @@ async fn override_before_first_turn_emits_environment_context() -> anyhow::Resul
        })
        .collect();
    assert!(
-        permissions_texts
-            .iter()
-            .any(|text| text.contains("`approval_policy` is `never`")),
+        permissions_texts.iter().any(|text| {
+            let lower = text.to_ascii_lowercase();
+            (lower.contains("approval policy") || lower.contains("approval_policy"))
+                && lower.contains("never")
+        }),
        "permissions message should reflect overridden approval policy: {permissions_texts:?}"
    );

--- a/codex-rs/core/tests/suite/tool_parallelism.rs
+++ b/codex-rs/core/tests/suite/tool_parallelism.rs
@ -72,7 +72,7 @@ async fn build_codex_with_test_tool(server: &wiremock::MockServer) -> anyhow::Re
 fn assert_parallel_duration(actual: Duration) {
    // Allow headroom for slow CI scheduling; barrier synchronization already enforces overlap.
    assert!(
-        actual < Duration::from_millis(1_200),
+        actual < Duration::from_millis(1_600),
        "expected parallel execution to finish quickly, got {actual:?}"
    );
 }
--- a/codex-rs/protocol/src/prompts/permissions/approval_policy/never.md
+++ b/codex-rs/protocol/src/prompts/permissions/approval_policy/never.md
@ -1 +1 @@
- Approvals are your mechanism to get user consent to run shell commands without the sandbox. `approval_policy` is `never`: This is a non-interactive mode where you may NEVER ask the user for approval to run commands. Instead, you must always persist and work around constraints to solve the task for the user. You MUST do your utmost best to finish the task and validate your work before yielding. If this mode is paired with `danger-full-access`, take advantage of it to deliver the best outcome for the user. Further, in this mode, your default testing philosophy is overridden: Even if you don't see local patterns for testing, you may add tests and scripts to validate your work. Just remove them before yielding.
+Approval policy is currently never. Do not provide the `sandbox_permissions` for any reason, commands will be rejected.