Skip to content

fix(ce-work-beta): update Codex sandbox flags to current CLI syntax#770

Merged
tmchow merged 2 commits intoEveryInc:mainfrom
davidalee:fix/ce-work-beta-codex-sandbox-flags
May 5, 2026
Merged

fix(ce-work-beta): update Codex sandbox flags to current CLI syntax#770
tmchow merged 2 commits intoEveryInc:mainfrom
davidalee:fix/ce-work-beta-codex-sandbox-flags

Conversation

@davidalee
Copy link
Copy Markdown
Contributor

@davidalee davidalee commented May 4, 2026

Summary

  • --full-auto is not a valid flag in the current Codex CLI — verified against codex exec --help (Codex 0.128.0+). The actual sandbox flag is -s workspace-write. The bash script was passing --full-auto directly to codex exec, which would cause delegation to fail at runtime.
  • --yolo is also not a valid flag — the actual flag for full bypass is --dangerously-bypass-approvals-and-sandbox. The script already used the correct flag; only the description shown during the consent flow was wrong.
  • Added a note that workspace-write blocks network access by default but network can be re-enabled via ~/.codex/config.toml.

Changes

plugins/compound-engineering/skills/ce-work-beta/references/codex-delegation-workflow.md:

  • Line 70: consent description: --yolo--dangerously-bypass-approvals-and-sandbox
  • Line 71: consent description: --full-auto-s workspace-write; added note on re-enabling network access
  • Line 227: bash script: SANDBOX_FLAG="--full-auto"SANDBOX_FLAG="-s workspace-write"

Open question

The internal mode names yolo and full-auto (used as config values and consent UI labels) derive from the old CLI flags that no longer exist. Options:

  1. Keep as-is — they're internal labels that don't reach the CLI, and changing them breaks existing user configs
  2. Align with Codex CLI terminology — e.g. bypass / workspace or danger / sandbox
  3. Use more descriptive names that map clearly to the underlying behavior regardless of CLI spelling

Deferring for now since it's a separate concern from the flag correctness fix and would require a migration path for existing configs.

Test plan

  • Inspect diff — three lines changed, no logic change for yolo path
  • Verify codex exec --help still shows -s workspace-write as a valid sandbox mode value
  • bun run release:validate passes

davidalee added 2 commits May 4, 2026 15:05
@davidalee
fix(ce-work-beta): update Codex sandbox flags to current CLI syntax
6f3fb81 
--full-auto and --yolo do not exist in Codex CLI (verified against
installed codex exec --help). Map full-auto to -s workspace-write and
yolo description to --dangerously-bypass-approvals-and-sandbox.
@davidalee
fix(ce-work-beta): clarify workspace-write network access in consent …
f881b61 
…warning
@davidalee
Copy link
Copy Markdown
Contributor Author

davidalee commented May 4, 2026

@tmchow Are you good with keeping the naming as-is? I don't think it disrupts anything to do so, but it does refer to modes that no longer exist and may cause confusion.

@tmchow
Copy link
Copy Markdown
Collaborator

tmchow commented May 5, 2026

I'm ok with the change. Merging soon.

@tmchow tmchow merged commit 7ff3472 into EveryInc:main May 5, 2026
2 checks passed
@github-actions github-actions Bot mentioned this pull request May 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tmchow tmchow tmchow approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidalee @tmchow