core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Agent IDE — Codex fork for AI-native development environment
4292 commits 2 branches 0 tags 80 MiB
Find a file
Charley Cunningham cb1a182bbe
Clarify sandbox permission override helper semantics (#13703) 
## Summary
Today `SandboxPermissions::requires_additional_permissions()` does not
actually mean "is `WithAdditionalPermissions`". It returns `true` for
any non-default sandbox override, including `RequireEscalated`. That
broad behavior is relied on in multiple `main` callsites.

The naming is security-sensitive because `SandboxPermissions` is used on
shell-like tool calls to tell the executor how a single command should
relate to the turn sandbox:
- `UseDefault`: run with the turn sandbox unchanged
- `RequireEscalated`: request execution outside the sandbox
- `WithAdditionalPermissions`: stay sandboxed but widen permissions for
that command only

## Problem
The old helper name reads as if it only applies to the
`WithAdditionalPermissions` variant. In practice it means "this command
requested any explicit sandbox override."

That ambiguity made it easy to read production checks incorrectly and
made the guardian change look like a standalone `main` fix when it is
not.

On `main` today:
- `shell` and `unified_exec` intentionally reject any explicit
`sandbox_permissions` request unless approval policy is `OnRequest`
- `exec_policy` intentionally treats any explicit sandbox override as
prompt-worthy in restricted sandboxes
- tests intentionally serialize both `RequireEscalated` and
`WithAdditionalPermissions` as explicit sandbox override requests

So changing those callsites from the broad helper to a narrow
`WithAdditionalPermissions` check would be a behavior change, not a pure
cleanup.

## What This PR Does
- documents `SandboxPermissions` as a per-command sandbox override, not
a generic permissions bag
- adds `requests_sandbox_override()` for the broad meaning: anything
except `UseDefault`
- adds `uses_additional_permissions()` for the narrow meaning: only
`WithAdditionalPermissions`
- keeps `requires_additional_permissions()` as a compatibility alias to
the broad meaning for now
- updates the current broad callsites to use the accurately named broad
helper
- adds unit coverage that locks in the semantics of all three helpers

## What This PR Does Not Do
This PR does not change runtime behavior. That is intentional.

---------

Co-authored-by: Codex <noreply@openai.com>
2026-03-06 09:57:48 -08:00
.codex/skills Add PR babysitting skill for this repo (#12513) 2026-02-22 15:36:28 -08:00
.devcontainer chore: install an extension for TOML syntax highlighting in the devcontainer (#1650) 2025-07-22 10:58:09 -07:00
.github chore(deps): bump actions/upload-artifact from 6 to 7 (#13207) 2026-03-04 18:32:35 -07:00
.vscode chore: rm --all-features flag from rust-analyzer (#13381) 2026-03-03 11:44:54 -08:00
codex-cli Update pnpm versions to fix cve-2026-24842 (#12009) 2026-02-19 14:27:55 -08:00
codex-rs Clarify sandbox permission override helper semantics (#13703) 2026-03-06 09:57:48 -08:00
docs Clarify js_repl image emission and encoding guidance (#13639) 2026-03-05 16:02:37 -08:00
patches [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
scripts Add Windows direct install script (#12741) 2026-03-03 09:25:50 -08:00
sdk/typescript Update pnpm versions to fix cve-2026-24842 (#12009) 2026-02-19 14:27:55 -08:00
shell-tool-mcp refactor: delete exec-server and move execve wrapper into shell-escalation (#12632) 2026-02-23 20:10:22 -08:00
third_party Add feature-gated freeform js_repl core runtime (#10674) 2026-02-11 12:05:02 -08:00
.bazelignore [bazel] Improve runfiles handling (#10098) 2026-01-29 00:15:44 +00:00
.bazelrc [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
.bazelversion [bazel] Upgrade to bazel9 (#9576) 2026-01-21 13:25:36 +00:00
.codespellignore feat(network-proxy): structured policy signaling and attempt correlation to core (#11662) 2026-02-13 09:01:11 +00:00
.codespellrc feat(network-proxy): structured policy signaling and attempt correlation to core (#11662) 2026-02-13 09:01:11 +00:00
.gitignore gitignore bazel-* (#8911) 2026-01-08 07:50:58 -08:00
.markdownlint-cli2.yaml fix(tui): document paste-burst state machine (#9020) 2026-01-13 11:48:31 -08:00
.npmrc chore: migrate to pnpm for improved monorepo management (#287) 2025-04-18 16:25:15 -07:00
.prettierignore [apply-patch] Clean up apply-patch tool definitions (#2539) 2025-08-21 20:07:41 -07:00
.prettierrc.toml Initial commit 2025-04-16 12:56:08 -04:00
AGENTS.md feat: discourage the use of the --all-features flag (#12429) 2026-02-20 23:02:24 -08:00
announcement_tip.toml nit: test an (#10892) 2026-02-06 14:41:53 +01:00
BUILD.bazel [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
CHANGELOG.md Documentation improvement: add missing period (#3754) 2025-10-30 13:01:33 -07:00
cliff.toml docs(changelog): update install command to @openai/codex@<version> (#2073) 2025-10-18 11:02:22 -07:00
defs.bzl [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
flake.lock fix(nix): update flake for newer Rust toolchain requirements (#10302) 2026-01-31 11:34:53 -08:00
flake.nix fix(nix): use correct version from Cargo.toml in flake build (#11770) 2026-02-13 12:19:25 -08:00
justfile feat: discourage the use of the --all-features flag (#12429) 2026-02-20 23:02:24 -08:00
LICENSE Initial commit 2025-04-16 12:56:08 -04:00
MODULE.bazel [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
MODULE.bazel.lock feat: track plugins mcps/apps and add plugin info to user_instructions (#13433) 2026-03-04 19:46:13 -08:00
NOTICE Add feature-gated freeform js_repl core runtime (#10674) 2026-02-11 12:05:02 -08:00
package.json Update pnpm versions to fix cve-2026-24842 (#12009) 2026-02-19 14:27:55 -08:00
pnpm-lock.yaml chore: ensure pnpm-workspace.yaml is up-to-date (#10140) 2026-01-29 10:49:03 -08:00
pnpm-workspace.yaml chore: ensure pnpm-workspace.yaml is up-to-date (#10140) 2026-01-29 10:49:03 -08:00
rbe.bzl [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
README.md docs: mention Codex app in README intro (#11926) 2026-02-16 17:35:05 +01:00
SECURITY.md docs: add codex security policy (#12193) 2026-02-19 09:12:59 -08:00

README.md

npm i -g @openai/codex
or brew install --cask codex

Codex CLI is a coding agent from OpenAI that runs locally on your computer.

Codex CLI splash


If you want Codex in your code editor (VS Code, Cursor, Windsurf), install in your IDE.
If you want the desktop app experience, run codex app or visit the Codex App page.
If you are looking for the cloud-based agent from OpenAI, Codex Web, go to chatgpt.com/codex.

Quickstart

Installing and running Codex CLI

Install globally with your preferred package manager:

# Install using npm
npm install -g @openai/codex

# Install using Homebrew
brew install --cask codex

Then simply run codex to get started.

You can also go to the latest GitHub Release and download the appropriate binary for your platform.

Each GitHub Release contains many executables, but in practice, you likely want one of these:

  • macOS
    • Apple Silicon/arm64: codex-aarch64-apple-darwin.tar.gz
    • x86_64 (older Mac hardware): codex-x86_64-apple-darwin.tar.gz
  • Linux
    • x86_64: codex-x86_64-unknown-linux-musl.tar.gz
    • arm64: codex-aarch64-unknown-linux-musl.tar.gz

Each archive contains a single entry with the platform baked into the name (e.g., codex-x86_64-unknown-linux-musl), so you likely want to rename it to codex after extracting it.

Using Codex with your ChatGPT plan

Run codex and select Sign in with ChatGPT. We recommend signing into your ChatGPT account to use Codex as part of your Plus, Pro, Team, Edu, or Enterprise plan. Learn more about what's included in your ChatGPT plan.

You can also use Codex with an API key, but this requires additional setup.

Docs

This repository is licensed under the Apache-2.0 License.