bypass sandbox for policy approved commands #7110
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| let mut initial_sandbox = self | ||
| .sandbox | ||
| .select_initial(&turn_ctx.sandbox_policy, tool.sandbox_preference()); | ||
| if tool.wants_escalated_first_attempt(req) { | ||
| if tool.should_bypass_sandbox_first_attempt(req) { | ||
| initial_sandbox = crate::exec::SandboxType::None; |
There was a problem hiding this comment.
The new ApprovalRequirement::Skip { bypass_sandbox: true } returned for Decision::Allow (see exec_policy.rs lines 95‑112) now causes ToolOrchestrator::run to overwrite the sandbox selected from the user's SandboxPolicy and run with SandboxType::None whenever a command is policy-approved. For non-DangerFullAccess policies such as ReadOnly or WorkspaceWrite, earlier runs would stay inside the platform sandbox, but after this change those commands execute completely unsandboxed with no extra approval, effectively ignoring the configured sandbox restrictions.
Useful? React with 👍 / 👎.
allowing cmds greenlit by execpolicy to bypass sandbox + minor refactor for a world where we have execpolicy rules with specific sandbox requirements