Implement proper Codex sandbox modes and network access configuration

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Author: Copilot

.github/workflows/final-test-wildcard.lock.yml

@@ -0,0 +1,7 @@
+---
+on: push
+engine: codex
+network:
+  allowed: ["*"]
+---
+# Test

.github/workflows/final-test-wildcard.md

@@ -0,0 +1,6 @@
+---
+on: push
+engine: codex
+network: {}
+---
+# Test

.github/workflows/final-test.lock.yml

@@ -100,8 +100,8 @@ func (e *CodexEngine) GetExecutionSteps(workflowData *WorkflowData, logFile stri
 		webSearchParam = "--search "
 	}
 
-	// See https://github.com/githubnext/gh-aw/issues/892
-	fullAutoParam := "--dangerously-bypass-approvals-and-sandbox "
+	// Build sandbox parameter based on network permissions
+	sandboxParam := e.getSandboxParam(workflowData.NetworkPermissions)
 
 	command := fmt.Sprintf(`set -o pipefail
 INSTRUCTION=$(cat /tmp/aw-prompts/prompt.txt)
@@ -120,7 +120,7 @@ codex --version
 codex login --api-key "$OPENAI_API_KEY"
 
 # Run codex with log capture - pipefail ensures codex exit code is preserved
-codex %s%s--full-auto exec %s"$INSTRUCTION" 2>&1 | tee %s`, modelParam, webSearchParam, fullAutoParam, logFile)
+codex %s%s--full-auto exec %s"$INSTRUCTION" 2>&1 | tee %s`, modelParam, webSearchParam, sandboxParam, logFile)
 
 	env := map[string]string{
 		"OPENAI_API_KEY":       "${{ secrets.OPENAI_API_KEY }}",
@@ -615,33 +615,59 @@ func (e *CodexEngine) GetDefaultNetworkPermissions() *NetworkPermissions {
 	}
 }
 
-// renderNetworkConfig generates network configuration for codex config.toml
+// renderNetworkConfig generates sandbox configuration for codex config.toml
 func (e *CodexEngine) renderNetworkConfig(yaml *strings.Builder, networkPermissions *NetworkPermissions) {
 	yaml.WriteString("          \n")
-	yaml.WriteString("          [sandbox]\n")
 
 	// Default network setting if no permissions specified (equivalent to network: defaults for other engines)
 	if networkPermissions == nil {
-		yaml.WriteString("          # Network access enabled (default)\n")
-		yaml.WriteString("          network_access = true\n")
+		yaml.WriteString("          # Default sandbox mode with network access enabled\n")
+		yaml.WriteString("          sandbox_mode = \"danger-full-access\"\n")
 		return
 	}
 
-	// Handle empty allowed list - means no network access
+	// Handle empty allowed list - means no network access, workspace-write mode
 	if len(networkPermissions.Allowed) == 0 {
-		yaml.WriteString("          # Network access disabled (empty)\n")
+		yaml.WriteString("          # Workspace-write mode with no network access\n")
+		yaml.WriteString("          sandbox_mode = \"workspace-write\"\n")
+		yaml.WriteString("          \n")
+		yaml.WriteString("          [sandbox_workspace_write]\n")
 		yaml.WriteString("          network_access = false\n")
 		return
 	}
 
-	// Handle wildcard - means full network access
+	// Handle wildcard - means full access, danger-full-access mode
 	if len(networkPermissions.Allowed) == 1 && networkPermissions.Allowed[0] == "*" {
-		yaml.WriteString("          # Network access enabled (*)\n")
-		yaml.WriteString("          network_access = true\n")
+		yaml.WriteString("          # Full access mode (danger)\n")
+		yaml.WriteString("          sandbox_mode = \"danger-full-access\"\n")
 		return
 	}
 
 	// This should not happen due to validation, but handle gracefully
-	yaml.WriteString("          # Network access disabled (fallback)\n")
+	yaml.WriteString("          # Fallback to workspace-write mode with no network access\n")
+	yaml.WriteString("          sandbox_mode = \"workspace-write\"\n")
+	yaml.WriteString("          \n")
+	yaml.WriteString("          [sandbox_workspace_write]\n")
 	yaml.WriteString("          network_access = false\n")
 }
+
+// getSandboxParam generates the appropriate sandbox CLI parameter based on network permissions
+func (e *CodexEngine) getSandboxParam(networkPermissions *NetworkPermissions) string {
+	// Default (nil permissions) - use danger-full-access mode  
+	if networkPermissions == nil {
+		return "--sandbox danger-full-access "
+	}
+
+	// Empty allowed list - means no network access, use workspace-write mode
+	if len(networkPermissions.Allowed) == 0 {
+		return "--sandbox workspace-write "
+	}
+
+	// Wildcard - means full access, use danger-full-access mode
+	if len(networkPermissions.Allowed) == 1 && networkPermissions.Allowed[0] == "*" {
+		return "--sandbox danger-full-access "
+	}
+
+	// Fallback to workspace-write mode
+	return "--sandbox workspace-write "
+}

.github/workflows/final-test.md

@@ -290,9 +290,8 @@ func TestCodexEngineRenderMCPConfig(t *testing.T) {
 				"[history]",
 				"persistence = \"none\"",
 				"",
-				"[sandbox]",
-				"# Network access enabled by default",
-				"network = true",
+				"# Default sandbox mode with network access enabled",
+				"sandbox_mode = \"danger-full-access\"",
 				"",
 				"[mcp_servers.github]",
 				"user_agent = \"test-workflow\"",
@@ -653,15 +652,12 @@ func TestCodexEngineNetworkConfigGeneration(t *testing.T) {
 		engine.renderNetworkConfig(&yaml, nil)
 		output := yaml.String()
 
-		if !strings.Contains(output, "network = true") {
-			t.Error("Expected config.toml to contain 'network = true' for nil permissions")
+		if !strings.Contains(output, "sandbox_mode = \"danger-full-access\"") {
+			t.Error("Expected config.toml to contain 'sandbox_mode = \"danger-full-access\"' for nil permissions")
 		}
-		if !strings.Contains(output, "Network access enabled by default") {
+		if !strings.Contains(output, "Default sandbox mode with network access enabled") {
 			t.Error("Expected comment about default access")
 		}
-		if !strings.Contains(output, "[sandbox]") {
-			t.Error("Expected config.toml to contain '[sandbox]' section")
-		}
 	})
 
 	t.Run("renderNetworkConfig - empty allowed list", func(t *testing.T) {
@@ -672,14 +668,14 @@ func TestCodexEngineNetworkConfigGeneration(t *testing.T) {
 		engine.renderNetworkConfig(&yaml, permissions)
 		output := yaml.String()
 
-		if !strings.Contains(output, "network = false") {
-			t.Error("Expected config.toml to contain 'network = false' for empty allowed list")
+		if !strings.Contains(output, "sandbox_mode = \"workspace-write\"") {
+			t.Error("Expected config.toml to contain 'sandbox_mode = \"workspace-write\"' for empty allowed list")
 		}
-		if !strings.Contains(output, "Network access disabled") {
-			t.Error("Expected comment about disabled access")
+		if !strings.Contains(output, "network_access = false") {
+			t.Error("Expected config.toml to contain 'network_access = false' for empty allowed list")
 		}
-		if !strings.Contains(output, "[sandbox]") {
-			t.Error("Expected config.toml to contain '[sandbox]' section")
+		if !strings.Contains(output, "Workspace-write mode with no network access") {
+			t.Error("Expected comment about workspace-write mode")
 		}
 	})
 
@@ -691,14 +687,11 @@ func TestCodexEngineNetworkConfigGeneration(t *testing.T) {
 		engine.renderNetworkConfig(&yaml, permissions)
 		output := yaml.String()
 
-		if !strings.Contains(output, "network = true") {
-			t.Error("Expected config.toml to contain 'network = true' for wildcard")
-		}
-		if !strings.Contains(output, "Network access enabled") {
-			t.Error("Expected comment about enabled access")
+		if !strings.Contains(output, "sandbox_mode = \"danger-full-access\"") {
+			t.Error("Expected config.toml to contain 'sandbox_mode = \"danger-full-access\"' for wildcard")
 		}
-		if !strings.Contains(output, "[sandbox]") {
-			t.Error("Expected config.toml to contain '[sandbox]' section")
+		if !strings.Contains(output, "Full access mode (danger)") {
+			t.Error("Expected comment about full access mode")
 		}
 	})
 }
@@ -720,3 +713,37 @@ func TestCodexEngineGetDefaultNetworkPermissions(t *testing.T) {
 		t.Errorf("Expected Codex default to have empty mode, got: %s", defaults.Mode)
 	}
 }
+
+func TestCodexEngineGetSandboxParam(t *testing.T) {
+	engine := NewCodexEngine()
+	
+	t.Run("getSandboxParam - nil permissions", func(t *testing.T) {
+		param := engine.getSandboxParam(nil)
+		expected := "--sandbox danger-full-access "
+		if param != expected {
+			t.Errorf("Expected '%s', got '%s'", expected, param)
+		}
+	})
+
+	t.Run("getSandboxParam - empty allowed list", func(t *testing.T) {
+		permissions := &NetworkPermissions{
+			Allowed: []string{},
+		}
+		param := engine.getSandboxParam(permissions)
+		expected := "--sandbox workspace-write "
+		if param != expected {
+			t.Errorf("Expected '%s', got '%s'", expected, param)
+		}
+	})
+
+	t.Run("getSandboxParam - wildcard allowed", func(t *testing.T) {
+		permissions := &NetworkPermissions{
+			Allowed: []string{"*"},
+		}
+		param := engine.getSandboxParam(permissions)
+		expected := "--sandbox danger-full-access "
+		if param != expected {
+			t.Errorf("Expected '%s', got '%s'", expected, param)
+		}
+	})
+}

pkg/workflow/codex_engine.go

@@ -2393,8 +2393,8 @@ This is a test workflow with wildcard network permissions and codex engine.
 			t.Fatalf("Failed to read lock file: %v", err)
 		}
 
-		if !strings.Contains(string(lockContentEmpty), "network = false") {
-			t.Error("Should contain 'network = false' for empty network permissions")
+		if !strings.Contains(string(lockContentEmpty), "network_access = false") {
+			t.Error("Should contain 'network_access = false' for empty network permissions")
 		}
 
 		// Compile the wildcard network workflow
@@ -2410,8 +2410,8 @@ This is a test workflow with wildcard network permissions and codex engine.
 			t.Fatalf("Failed to read lock file: %v", err)
 		}
 
-		if !strings.Contains(string(lockContentWildcard), "network = true") {
-			t.Error("Should contain 'network = true' for wildcard network permissions")
+		if !strings.Contains(string(lockContentWildcard), "sandbox_mode = \"danger-full-access\"") {
+			t.Error("Should contain 'sandbox_mode = \"danger-full-access\"' for wildcard network permissions")
 		}
 	})