feat(ce-work-beta): add user-selectable sandbox options to Codex delegation#364
feat(ce-work-beta): add user-selectable sandbox options to Codex delegation#364huntharo wants to merge 2 commits intoEveryInc:mainfrom
Conversation
…gation The delegate step told the agent to run Codex without specifying sandbox or approval flags. Users without permissive global Codex config saw delegation fail on the first network operation (e.g., npm install). PR EveryInc#363 proposed hardcoding `-s workspace-write -a never`, but one-shotting via `codex exec` likely needs `--yolo` for non-trivial tasks since workspace-write still restricts system-level access. Add a new step 2 to the External Delegation Workflow that presents three security posture options: - Default (no flags) -- uses Codex defaults, will likely fail in exec mode - Workspace write (--full-auto) -- moderate access, may still fail - Full access (--yolo) -- disables all restrictions, with explicit risk warnings about data deletion, secret leakage, and unapproved commands The choice is asked once per delegation session and applied to all delegated tasks. Uses cross-platform question tool with numbered-list fallback per the skill checklist. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 476feb89d3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| 6. **Review diff** — After the delegate finishes, verify the diff is non-empty and in-scope. Run the project's test/lint commands. If the diff is empty or out-of-scope, fall back to standard mode for that task. | ||
|
|
||
| 7. **Commit** — The current agent handles all git operations. The delegate's sandbox blocks `.git/index.lock` writes, so the delegate cannot commit. Stage changes and commit with a conventional message. |
There was a problem hiding this comment.
--yolo mode
Step 2 now allows the --dangerously-bypass-approvals-and-sandbox (--yolo) posture, but this step still claims the delegate "cannot commit" because sandboxing blocks .git/index.lock. In --yolo, Codex runs without sandboxing/approvals (per the Codex CLI reference), so that guarantee is no longer true and delegated runs can create commits if the model ignores prompt guidance. This can leave unexpected history and invalidate the workflow assumption that git operations are always handled by the current agent.
Useful? React with 👍 / 👎.
Codex review correctly flagged that in --yolo mode the sandbox is disabled, so the delegate CAN write to .git/index.lock. Updated step 7 to clarify the sandbox only blocks commits in default and workspace-write modes; in yolo mode, the prompt instruction is what prevents the delegate from committing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
I ran this last night via the wrapper shell script and built a full stack app in about 45 minutes from Claude using Codex to do the build. |
|
@huntharo That's great to hear - full stack app in 45 minutes is a solid validation of the Codex delegation flow. Any rough edges or things that could be smoother? |
2 participants
Summary
Add a security posture selection step to the Codex External Delegation Workflow so users can choose between default, workspace-write, and full-access (
--yolo) modes before delegation runs.Why this matters
Taking over PR #363 after discussing with @mvanhorn .
codex execwith default settings fails on the first operation needing approval (e.g.,npm install) because exec mode is non-interactive. That PR proposed hardcoding-s workspace-write -a never, butworkspace-writestill restricts system-level (and network) access outside the workspace directory. For non-trivial one-shot delegations,--yolo(--dangerously-bypass-approvals-and-sandbox) is the only flag set likely to produce a complete solution -- but it carries real risks (arbitrary file deletion, secret leakage, unapproved command execution).Rather than hardcoding one posture, this PR lets the user choose with full visibility into the tradeoffs.
Changes
Added step 2 ("Select security posture") to the External Delegation Workflow in
plugins/compound-engineering/skills/ce-work-beta/SKILL.md:--full-auto) ---s workspace-write -a on-request. Moderate risk, may still fail for tasks needing system access.--yolo) ----dangerously-bypass-approvals-and-sandbox. Explicit risk warnings about data deletion, secret leakage, and unapproved commands. Only option likely to work for non-trivial exec-mode delegation.The choice is asked once per session via the platform's blocking question tool (with numbered-list fallback for platforms without one). Renumbered subsequent steps (old 2-7 -> new 3-8).
Supersedes #363.
Testing
Tested via
claude-code-cescript that loads updated plugin into claude code CLI, then giving the problem below and checking before/after.There is an additional oddity uncovered: it tries to redirect the prompt file into
codexand this fails and it ends up reading help messages several times then deciding to just emit the full prompt in the command line string - other times it randomly decides to cat the plan and pipe it tocodex, which appears to work.Test Prompt
Before - Does Not Prompt / Simply Fails to Exit Codex Sandbox
After - Prompts for Mode
After - Yolo Selected - Runs with
dangerously-bypass-approvals-and-sandboxAfter - Yolo Selected - Gets Result
After - Workspace Write Selected - Runs with
full-autoAfter - Workspace Write Selected - Fails on Network