feat(ce-work-beta): add user-selectable sandbox options to Codex delegation#364
feat(ce-work-beta): add user-selectable sandbox options to Codex delegation#364huntharo wants to merge 3 commits intoEveryInc:mainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 476feb89d3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
I ran this last night via the wrapper shell script and built a full stack app in about 45 minutes from Claude using Codex to do the build. |
|
@huntharo That's great to hear - full stack app in 45 minutes is a solid validation of the Codex delegation flow. Any rough edges or things that could be smoother? |
|
@huntharo can you rebase off main as i've merged a lot in. I'd like to figure out a path to get this into the main ce:work skill instead of maintaining it as separate provided we can get enough testing it. Given how big of a boost this is, it's helpful to converge. One thing to consider is whether we should store a user preference for always running codex mode when the skill is invoked from claude code. remember that we are cross agent env compatible by design so running codex mode from within codex won't make sense. I'm planning on moving preferences sometime soon out of the |
huntharo
force-pushed
the
claude/elated-mestorf
branch
from
805609b to
1ae9270
Compare
Should be all done @tmchow - I have my Codex doing a code review too just in case it finds anything. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1ae927038f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
huntharo
force-pushed
the
claude/elated-mestorf
branch
from
1ae9270 to
05f0b79
Compare
|
@huntharo address the relevant codex feedback |
…gation The delegate step told the agent to run Codex without specifying sandbox or approval flags. Users without permissive global Codex config saw delegation fail on the first network operation (e.g., npm install). PR EveryInc#363 proposed hardcoding `-s workspace-write -a never`, but one-shotting via `codex exec` likely needs `--yolo` for non-trivial tasks since workspace-write still restricts system-level access. Add a new step 2 to the External Delegation Workflow that presents three security posture options: - Default (no flags) -- uses Codex defaults, will likely fail in exec mode - Workspace write (--full-auto) -- moderate access, may still fail - Full access (--yolo) -- disables all restrictions, with explicit risk warnings about data deletion, secret leakage, and unapproved commands The choice is asked once per delegation session and applied to all delegated tasks. Uses cross-platform question tool with numbered-list fallback per the skill checklist. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Codex review correctly flagged that in --yolo mode the sandbox is disabled, so the delegate CAN write to .git/index.lock. Updated step 7 to clarify the sandbox only blocks commits in default and workspace-write modes; in yolo mode, the prompt instruction is what prevents the delegate from committing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
huntharo
force-pushed
the
claude/elated-mestorf
branch
from
05f0b79 to
c0f7192
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c0f7192c8e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
3 participants
Summary
Add a security posture selection step to the Codex External Delegation Workflow so users can choose between default, workspace-write, and full-access (
--yolo) modes before delegation runs.Why this matters
Taking over PR #363 after discussing with @mvanhorn .
codex execwith default settings fails on the first operation needing approval (e.g.,npm install) because exec mode is non-interactive. That PR proposed hardcoding-s workspace-write -a never, butworkspace-writestill restricts system-level (and network) access outside the workspace directory. For non-trivial one-shot delegations,--yolo(--dangerously-bypass-approvals-and-sandbox) is the only flag set likely to produce a complete solution -- but it carries real risks (arbitrary file deletion, secret leakage, unapproved command execution).Rather than hardcoding one posture, this PR lets the user choose with full visibility into the tradeoffs.
Changes
Added step 2 ("Select security posture") to the External Delegation Workflow in
plugins/compound-engineering/skills/ce-work-beta/SKILL.md:--full-auto) ---s workspace-write -a on-request. Moderate risk, may still fail for tasks needing system access.--yolo) ----dangerously-bypass-approvals-and-sandbox. Explicit risk warnings about data deletion, secret leakage, and unapproved commands. Only option likely to work for non-trivial exec-mode delegation.The choice is asked once per session via the platform's blocking question tool (with numbered-list fallback for platforms without one). Renumbered subsequent steps (old 2-7 -> new 3-8).
Supersedes #363.
Testing
Tested via
claude-code-cescript that loads updated plugin into claude code CLI, then giving the problem below and checking before/after.There is an additional oddity uncovered: it tries to redirect the prompt file into
codexand this fails and it ends up reading help messages several times then deciding to just emit the full prompt in the command line string - other times it randomly decides to cat the plan and pipe it tocodex, which appears to work.Test Prompt
Before - Does Not Prompt / Simply Fails to Exit Codex Sandbox
After - Prompts for Mode
After - Yolo Selected - Runs with
dangerously-bypass-approvals-and-sandboxAfter - Yolo Selected - Gets Result
After - Workspace Write Selected - Runs with
full-autoAfter - Workspace Write Selected - Fails on Network