Skip to content

Carry sandbox intent to remote exec servers#29108

Merged
jif-oai merged 2 commits into
mainfrom
jif/remote-exec-sandbox-intent-transport
Jun 21, 2026
Merged

Carry sandbox intent to remote exec servers#29108
jif-oai merged 2 commits into
mainfrom
jif/remote-exec-sandbox-intent-transport

Conversation

@jif-oai

@jif-oai jif-oai commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

What changed

PR #29099 stopped sending the orchestrator's concrete sandbox wrapper to a remote exec-server. Remote commands now arrive as plain native argv.

This PR adds the next piece: Codex also sends portable sandbox intent next to that plain argv.

For a remote unified-exec command, the request can now include:

  • the canonical permission profile before local workspace-root materialization
  • the sandbox cwd and workspace roots as PathUri values
  • Windows sandbox settings
  • the legacy Landlock setting
  • whether managed networking must be enforced

The important part is that symbolic entries such as :workspace_roots stay symbolic while crossing the boundary. The executor can then bind them to its own workspace-root paths instead of receiving orchestrator-local absolute paths.

The data travels through ExecRequest into ExecParams. Older exec-servers can still deserialize requests because the new fields have defaults.

Why

The orchestrator should not decide how another machine implements sandboxing.

For example:

  • a local macOS Codex would normally build a Seatbelt command
  • a remote Linux executor needs a Linux sandbox command instead

The orchestrator now sends the plain command plus the policy it intended to enforce. A later PR can let the exec-server choose and build the correct sandbox for its own operating system.

Important detail

This keeps the portable intent separate from the local SandboxType.

SandboxType::None is ambiguous:

  • it can mean the command was explicitly approved to run without a sandbox
  • it can also mean the orchestrator host has no concrete sandbox implementation available

Those cases are different for remote execution. This PR adds sandbox_requested so an executor can still receive sandbox intent when the orchestrator cannot build a local wrapper. Explicit unsandboxed retries still send no sandbox context.

Behavior today

This PR only transports the intent. The exec-server accepts the new fields but does not apply them yet.

Remote commands therefore remain unsandboxed after this PR, just as they are after PR #29099.

Follow-up

The next PR will make exec-server read this portable intent, bind symbolic workspace permissions to executor-native roots, choose the sandbox for its own operating system, build the wrapper locally, and then spawn the command.

@jif-oai jif-oai requested a review from a team as a code owner June 19, 2026 15:27

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a494f4dfae

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/core/src/tools/sandboxing.rs Outdated
@jif-oai jif-oai merged commit bd2968a into main Jun 21, 2026
31 checks passed
@jif-oai jif-oai deleted the jif/remote-exec-sandbox-intent-transport branch June 21, 2026 10:33
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 21, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants