From a79aac8a75912a349a1f9d1791cb38c8107085b7 Mon Sep 17 00:00:00 2001 From: lionelchg Date: Wed, 26 Nov 2025 17:01:38 +0100 Subject: [PATCH 1/3] Put Read-only permission in review thread Signed-off-by: lionelchg --- codex-rs/core/src/codex.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/codex-rs/core/src/codex.rs b/codex-rs/core/src/codex.rs index e3c5de5762..7e0f847084 100644 --- a/codex-rs/core/src/codex.rs +++ b/codex-rs/core/src/codex.rs @@ -1844,6 +1844,7 @@ async fn spawn_review_thread( per_turn_config.model_family.slug.as_str(), ); + let review_sandbox_policy = SandboxPolicy::ReadOnly; let per_turn_config = Arc::new(per_turn_config); let client = ModelClient::new( per_turn_config.clone(), @@ -1865,7 +1866,7 @@ async fn spawn_review_thread( base_instructions: Some(base_instructions.clone()), compact_prompt: parent_turn_context.compact_prompt.clone(), approval_policy: parent_turn_context.approval_policy, - sandbox_policy: parent_turn_context.sandbox_policy.clone(), + sandbox_policy: review_sandbox_policy, shell_environment_policy: parent_turn_context.shell_environment_policy.clone(), cwd: parent_turn_context.cwd.clone(), final_output_json_schema: None, From 5d9779a0715123fbbea75611d420a863bfdf344f Mon Sep 17 00:00:00 2001 From: lionelchg Date: Thu, 27 Nov 2025 15:30:46 +0100 Subject: [PATCH 2/3] Pass comments of codex to enforce read-only at review_conversation level Signed-off-by: lionelchg --- codex-rs/core/src/tasks/review.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/codex-rs/core/src/tasks/review.rs b/codex-rs/core/src/tasks/review.rs index 14a95dba5c..6ceb97caf9 100644 --- a/codex-rs/core/src/tasks/review.rs +++ b/codex-rs/core/src/tasks/review.rs @@ -96,6 +96,8 @@ async fn start_review_conversation( sub_agent_config.user_instructions = None; // Avoid loading project docs; reviewer only needs findings sub_agent_config.project_doc_max_bytes = 0; + // Enforce read-only sandbox for the review child session. + sub_agent_config.sandbox_mode = SandboxPolicy::ReadOnly; // Carry over review-only feature restrictions so the delegate cannot // re-enable blocked tools (web search, view image). sub_agent_config From 01a9c63908a0d40d76afb05f483e43f1cee14140 Mon Sep 17 00:00:00 2001 From: lionelchg Date: Thu, 27 Nov 2025 15:38:00 +0100 Subject: [PATCH 3/3] Correct import and name of policy Signed-off-by: lionelchg --- codex-rs/core/src/tasks/review.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/codex-rs/core/src/tasks/review.rs b/codex-rs/core/src/tasks/review.rs index 6ceb97caf9..09d5553bca 100644 --- a/codex-rs/core/src/tasks/review.rs +++ b/codex-rs/core/src/tasks/review.rs @@ -16,6 +16,7 @@ use tokio_util::sync::CancellationToken; use crate::codex::Session; use crate::codex::TurnContext; use crate::codex_delegate::run_codex_conversation_one_shot; +use crate::protocol::SandboxPolicy; use crate::review_format::format_review_findings_block; use crate::state::TaskKind; use codex_protocol::user_input::UserInput; @@ -97,7 +98,7 @@ async fn start_review_conversation( // Avoid loading project docs; reviewer only needs findings sub_agent_config.project_doc_max_bytes = 0; // Enforce read-only sandbox for the review child session. - sub_agent_config.sandbox_mode = SandboxPolicy::ReadOnly; + sub_agent_config.sandbox_policy = SandboxPolicy::ReadOnly; // Carry over review-only feature restrictions so the delegate cannot // re-enable blocked tools (web search, view image). sub_agent_config