Skip to content

Add Computer Use requirements for controlling persistent approvals and app allowlist / denylist#20488

Draft
leoshimo-oai wants to merge 1 commit into
mainfrom
leoshimo/sai-13224-cua-policy
Draft

Add Computer Use requirements for controlling persistent approvals and app allowlist / denylist#20488
leoshimo-oai wants to merge 1 commit into
mainfrom
leoshimo/sai-13224-cua-policy

Conversation

@leoshimo-oai
Copy link
Copy Markdown
Contributor

@leoshimo-oai leoshimo-oai commented Apr 30, 2026
edited
Loading

Summary

  • add Computer Use config/requirements support for:
    • [computer_use] allow_persistent_approval
    • [computer_use.macos] allowed_bundle_ids
    • [computer_use.macos] denied_bundle_ids
  • merge Computer Use requirements restrictively:
    • allow_persistent_approval = false wins
    • denied bundle IDs are unioned
    • allowed bundle IDs are intersected
  • expose effective Computer Use policy from config/read
  • expose requirements-only Computer Use policy from configRequirements/read
  • regenerate app-server protocol schemas/types

Linear: SAI-13224

Policy examples

Config example:

[computer_use]
allow_persistent_approval = false

[computer_use.macos]
denied_bundle_ids = ["com.apple.calculator"]
allowed_bundle_ids = ["com.apple.TextEdit", "com.apple.Safari"]

Requirements example:

[computer_use]
allow_persistent_approval = false

[computer_use.macos]
denied_bundle_ids = ["com.apple.calculator"]
allowed_bundle_ids = ["com.apple.TextEdit", "com.apple.Safari"]

Testing

  • cargo fmt --check
  • cargo test -p codex-app-server-protocol schema_fixtures
  • cargo test -p codex-app-server-protocol serialize_config_requirements_read
  • cargo test -p codex-config computer_use --lib
  • cargo test -p codex-app-server map_requirements_toml_to_api_converts_core_enums --lib
  • cargo test -p codex-tui debug_config_output --lib
  • cargo test -p codex-cloud-requirements --lib --no-run
  • cargo test -p codex-core --lib --no-run
  • cargo build --bin codex --bin codex-app-server
  • manual stdio app-server checks for:
    • no config / no requirements
    • requirements-only
    • config-only
    • config + requirements

@leoshimo-oai leoshimo-oai marked this pull request as draft April 30, 2026 19:40
@leoshimo-oai leoshimo-oai changed the title SAI-13224: Add Computer Use requirements Add Computer Use requirements Apr 30, 2026
@leoshimo-oai leoshimo-oai force-pushed the leoshimo/sai-13224-cua-policy branch from ca37153 to ec34f9d Compare April 30, 2026 23:01
@leoshimo-oai leoshimo-oai marked this pull request as ready for review April 30, 2026 23:05
@leoshimo-oai leoshimo-oai requested a review from a team as a code owner April 30, 2026 23:05
@leoshimo-oai leoshimo-oai force-pushed the leoshimo/sai-13224-cua-policy branch 2 times, most recently from b61ef1a to a03a942 Compare May 1, 2026 02:04
This was referenced May 1, 2026
Open
Open
@leoshimo-oai leoshimo-oai force-pushed the leoshimo/sai-13224-cua-policy branch from a03a942 to 962f13a Compare May 1, 2026 17:44
@leoshimo-oai leoshimo-oai force-pushed the leoshimo/sai-13224-cua-policy branch from 962f13a to 5f5b4fa Compare May 4, 2026 17:58
@leoshimo-oai leoshimo-oai changed the title Add Computer Use requirements Add Computer Use requirements for controlling persistent approvals and app allowlist / denylist May 5, 2026
@github-actions github-actions Bot mentioned this pull request May 5, 2026
Open
@leoshimo-oai leoshimo-oai marked this pull request as draft May 6, 2026 04:39
@github-actions github-actions Bot mentioned this pull request May 6, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@leoshimo-oai