Skip to content

Codex permission and sandbox lockdown layer #71

Description

@Ryan-Atkinson87

The inner provider permission layer for Codex: configure sandbox_mode, network_access policy, and permission levels to match the strict-deny posture and explicit prohibitions enforced for Claude (#18).

Spec §3.2 (Codex permission/lockdown column), §7.4 (provider permission layer — inner), §7.5 (explicit prohibitions).

Acceptance criteria

  • Codex sandbox_mode and network_access policy set deny-by-default; only the Squid egress allowlist (§7.2) is reachable.
  • Permission levels deny the same prohibited operations enforced for Claude (§7.5): no force-push, no protected-branch writes, no filesystem access outside the bound mount.
  • Lockdown is applied by the adapter on every run_session — not opt-in.
  • Fails closed: a lockdown misconfiguration blocks the session rather than running it unsandboxed.
  • Tests assert the lockdown flags are present on every invocation and that a prohibited operation is rejected.

Depends on: #70

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions