Update the codex agentic engine to handle network permissions and implement proper sandbox modes with test workflows

[Copilot]

Implementation: Codex Engine Network Permissions and Sandbox Modes

Updates the Codex engine to handle network permissions in the frontmatter and generate appropriate config.toml configurations with proper sandbox modes and CLI parameters per Codex documentation.

Requirements Implemented

The Codex engine now handles:

• network: {} → set sandbox_mode = "workspace-write" and network_access = false in config.toml (no network access, access to temp folder)
• network: ["*"] → set sandbox_mode = "danger-full-access" in config.toml (full access)
• Any other network spec (including defaults) → refuse compilation with error

Changes Made

Interface-Based Validation:

• Added ValidateNetworkPermissions method to CodingAgentEngine interface
• Added GetDefaultNetworkPermissions method to CodingAgentEngine interface
• Implemented Codex-specific validation in CodexEngine.ValidateNetworkPermissions
• Implemented Codex-specific defaults in CodexEngine.GetDefaultNetworkPermissions
• Added default implementations in BaseEngine
• Network validation now called for ALL engines, not just Codex

Config.toml Generation (Updated per Codex Documentation):

• Updated renderNetworkConfig method to generate proper sandbox modes
• Empty network permissions: sandbox_mode = "workspace-write" with [sandbox_workspace_write] section and network_access = false
• Full access (*): sandbox_mode = "danger-full-access"
• Default (nil): sandbox_mode = "danger-full-access" (for backward compatibility)

CLI Parameters (Updated):

• Replaced --dangerously-bypass-approvals-and-sandbox with proper --sandbox modes
• Added getSandboxParam method to generate appropriate CLI parameters
• Empty network permissions: --sandbox workspace-write
• Full access (*): --sandbox danger-full-access
• Default (nil): --sandbox danger-full-access

Engine-Aware Defaults:

• Modified default network permission logic to use interface method
• Codex engines default to network: {} (no network) instead of defaults
• Other engines continue to default to network: defaults
• Defaults determined by calling engine.GetDefaultNetworkPermissions()

Comprehensive Testing:

• Added unit tests for validation logic (TestCodexEngineNetworkValidation)
• Added unit tests for config generation (TestCodexEngineNetworkConfigGeneration)
• Added test for default network permissions (TestCodexEngineGetDefaultNetworkPermissions)
• Added test for sandbox parameter generation (TestCodexEngineGetSandboxParam)
• Updated integration tests with valid/invalid cases
• Fixed all existing Codex tests to use valid network configurations
• Updated all tests to expect new sandbox mode configuration format

Test Agentic Workflows (Added):

• test-codex-no-network-poem.md: Demonstrates network: {} configuration with workspace-write sandbox mode, creates an issue with a poem (no network access)
• test-codex-network-website-summary.md: Demonstrates network: ["*"] configuration with danger-full-access sandbox mode, fetches and summarizes Microsoft.com content

Generated Configuration Examples

Empty Network Permissions (network: {}):

[history]
persistence = "none"

# Workspace-write mode with no network access
sandbox_mode = "workspace-write"

[sandbox_workspace_write]
network_access = false

CLI: codex --sandbox workspace-write --full-auto exec ...

Full Access (network: { allowed: ["*"] }):

[history] 
persistence = "none"

# Full access mode (danger)
sandbox_mode = "danger-full-access"

CLI: codex --sandbox danger-full-access --full-auto exec ...

Testing

• ✅ All unit tests pass including new network validation tests
• ✅ Integration tests validate end-to-end compilation behavior
• ✅ Manual verification confirms correct config.toml generation with proper sandbox modes
• ✅ CLI parameters correctly generated based on network permissions
• ✅ Error cases properly rejected with clear error messages
• ✅ Backward compatibility maintained for Claude and other engines
• ✅ Network validation now applies to all engines through interface
• ✅ Test workflows demonstrate real-world usage of both network permission modes

The implementation follows the interface-based design pattern and ensures secure-by-default behavior for Codex engines while conforming to Codex documentation requirements for sandbox modes and network access configuration.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot move function to agentic engine interface and implement for codex

[Copilot]

Moved network validation function to CodingAgentEngine interface and implemented ValidateNetworkPermissions method for Codex engine. The validation is now handled at the engine level with Codex-specific logic. Commit: e65d73b

[pelikhan]

@copilot remove file and integrate into a test

[Copilot]

Removed test workflow files and integrated them as proper unit tests in codex_engine_test.go with TestCodexEngineNetworkValidation and TestCodexEngineNetworkConfigGeneration. Commit: e65d73b

[pelikhan]

@copilot remove added workflows and integrate them as tests instead

[Copilot]

Removed all added test workflow files and created comprehensive unit tests instead. Added validation tests in TestCodexEngineNetworkValidation and config generation tests in TestCodexEngineNetworkConfigGeneration. Commit: e65d73b

[pelikhan]

@copilot remove added workflows and integrate them as tests instead

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.contoso.com
  • Triggering command: /tmp/go-build2971027412/b279/cli.test -test.testlogfile=/tmp/go-build2971027412/b279/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
  • Triggering command: /tmp/go-build1255003129/b279/cli.test -test.testlogfile=/tmp/go-build1255003129/b279/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
  • Triggering command: /tmp/go-build3642361024/b279/cli.test -test.testlogfile=/tmp/go-build3642361024/b279/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

@copilot remove added workflows and integrate them as tests instead

Already completed in commit e65d73b - removed all test workflow files and integrated them as unit tests in TestCodexEngineNetworkValidation and TestCodexEngineNetworkConfigGeneration.

[pelikhan]

@dsyme needs to be tested. In particular not clear where the network flag goes. Feel free to take over.

[pelikhan]

@copilot update the sandbox mode and network_access field based on this logic:

• empty network access permissions (default): sandbox_mode = "workspace-write" and network_access=false, acces to temp folder
• full access (*): sandbox_mode danger-full-access
• others: not supported

Update the generation of config.toml and cli paramters.

sandbox_mode
Codex executes model-generated shell commands inside an OS-level sandbox.

In most cases you can pick the desired behaviour with a single option:

# same as `--sandbox read-only`
sandbox_mode = "read-only"
The default policy is read-only, which means commands can read any file on disk, but attempts to write a file or access the network will be blocked.

A more relaxed policy is workspace-write. When specified, the current working directory for the Codex task will be writable (as well as $TMPDIR on macOS). Note that the CLI defaults to using the directory where it was spawned as cwd, though this can be overridden using --cwd/-C.

On macOS (and soon Linux), all writable roots (including cwd) that contain a .git/ folder as an immediate child will configure the .git/ folder to be read-only while the rest of the Git repository will be writable. This means that commands like git commit will fail, by default (as it entails writing to .git/), and will require Codex to ask for permission.

# same as `--sandbox workspace-write`
sandbox_mode = "workspace-write"

# Extra settings that only apply when `sandbox = "workspace-write"`.
[sandbox_workspace_write]
# By default, the cwd for the Codex session will be writable as well as $TMPDIR
# (if set) and /tmp (if it exists). Setting the respective options to `true`
# will override those defaults.
exclude_tmpdir_env_var = false
exclude_slash_tmp = false

# Optional list of _additional_ writable roots beyond $TMPDIR and /tmp.
writable_roots = ["/Users/YOU/.pyenv/shims"]

# Allow the command being run inside the sandbox to make outbound network
# requests. Disabled by default.
network_access = false
To disable sandboxing altogether, specify danger-full-access like so:

# same as `--sandbox danger-full-access`
sandbox_mode = "danger-full-access"
This is reasonable to use if Codex is running in an environment that provides its own sandboxing (such as a Docker container) such that further sandboxing is unnecessary.

Though using this option may also be necessary if you try to use Codex in environments where its native sandboxing mechanisms are unsupported, such as older Linux kernels or on Windows.

[Copilot]

@copilot update the sandbox mode and network_access field based on this logic:

• empty network access permissions (default): sandbox_mode = "workspace-write" and network_access=false, acces to temp...

Updated sandbox mode and network_access configuration based on the specified logic:

Empty network permissions (default):

• Config: sandbox_mode = "workspace-write" with [sandbox_workspace_write] section and network_access = false
• CLI: --sandbox workspace-write

Full access (*):

• Config: sandbox_mode = "danger-full-access"
• CLI: --sandbox danger-full-access

Others: Not supported (validation errors)

Updated both config.toml generation and CLI parameters. Removed the old --dangerously-bypass-approvals-and-sandbox flag and replaced with proper --sandbox modes per Codex documentation. Commit: 81ede6d

[pelikhan]

@copilot

• add a test agentic workflow using workflow_dispatch, with network: {} that creates an issue with a poem.
• add a test agentic workflow using workflow_dispatch, with network: "*" that creates a summary of https://www.microsoft.com/

[Copilot]

@copilot

• add a test agentic workflow using workflow_dispatch, with network: {} that creates an issue with a poem.
  ...

Created two test agentic workflows demonstrating network permission functionality:

1. test-codex-no-network-poem.md (network: {}):

• Uses sandbox_mode = "workspace-write" with network_access = false
• CLI: --sandbox workspace-write
• Creates an issue with a poem about coding (no network access required)

2. test-codex-network-website-summary.md (network: ["*"]):

• Uses sandbox_mode = "danger-full-access"
• CLI: --sandbox danger-full-access
• Fetches and summarizes https://www.microsoft.com/ content

Both workflows use workflow_dispatch triggers and properly demonstrate the secure-by-default (no network) vs full access network permission modes. Commit: 35af294