feat: introduce ExternalSandbox policy (#8290)

## Description Introduced `ExternalSandbox` policy to cover use case when sandbox defined by outside environment, effectively it translates to `SandboxMode#DangerFullAccess` for file system (since sandbox configured on container level) and configurable `network_access` (either Restricted or Enabled by outside environment). as example you can configure `ExternalSandbox` policy as part of `sendUserTurn` v1 app_server API: ``` { "conversationId": <id>, "cwd": <cwd>, "approvalPolicy": "never", "sandboxPolicy": { "type": ""external-sandbox", "network_access": "enabled"/"restricted" }, "model": <model>, "effort": <effort>, .... } ```
2026-05-05 22:01:37 +03:00 · 2025-12-18 17:02:03 -08:00
parent 3d4ced3ff5
commit 3429de21b3
26 changed files with 435 additions and 39 deletions
--- a/codex-rs/windows-sandbox-rs/src/audit.rs
+++ b/codex-rs/windows-sandbox-rs/src/audit.rs
@@ -271,7 +271,7 @@ pub fn apply_capability_denies_for_world_writable(
            })?,
            Vec::new(),
        ),
-        SandboxPolicy::DangerFullAccess => {
+        SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. } => {
            return Ok(());
        }
    };
--- a/codex-rs/windows-sandbox-rs/src/command_runner_win.rs
+++ b/codex-rs/windows-sandbox-rs/src/command_runner_win.rs
@@ -106,7 +106,9 @@ pub fn main() -> Result<()> {
            SandboxPolicy::WorkspaceWrite { .. } => {
                create_workspace_write_token_with_cap_from(base, psid_cap)
            }
-            SandboxPolicy::DangerFullAccess => unreachable!(),
+            SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. } => {
+                unreachable!()
+            }
        }
    };
    let (h_token, psid_to_use) = token_res?;
--- a/codex-rs/windows-sandbox-rs/src/elevated_impl.rs
+++ b/codex-rs/windows-sandbox-rs/src/elevated_impl.rs
@@ -239,8 +239,11 @@ mod windows_impl {
            require_logon_sandbox_creds(&policy, sandbox_policy_cwd, cwd, &env_map, codex_home)?;
        log_note("cli creds ready", logs_base_dir);
        // Build capability SID for ACL grants.
-        if matches!(&policy, SandboxPolicy::DangerFullAccess) {
-            anyhow::bail!("DangerFullAccess is not supported for sandboxing")
+        if matches!(
+            &policy,
+            SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
+        ) {
+            anyhow::bail!("DangerFullAccess and ExternalSandbox are not supported for sandboxing")
        }
        let caps = load_or_create_cap_sids(codex_home)?;
        let (psid_to_use, cap_sid_str) = match &policy {
@@ -252,7 +255,9 @@ mod windows_impl {
                unsafe { convert_string_sid_to_sid(&caps.workspace).unwrap() },
                caps.workspace.clone(),
            ),
-            SandboxPolicy::DangerFullAccess => unreachable!("DangerFullAccess handled above"),
+            SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. } => {
+                unreachable!("DangerFullAccess handled above")
+            }
        };

        let AllowDenyPaths { allow: _, deny: _ } =
--- a/codex-rs/windows-sandbox-rs/src/lib.rs
+++ b/codex-rs/windows-sandbox-rs/src/lib.rs
@@ -194,8 +194,11 @@ mod windows_impl {
        log_start(&command, logs_base_dir);
        let is_workspace_write = matches!(&policy, SandboxPolicy::WorkspaceWrite { .. });

-        if matches!(&policy, SandboxPolicy::DangerFullAccess) {
-            anyhow::bail!("DangerFullAccess is not supported for sandboxing")
+        if matches!(
+            &policy,
+            SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
+        ) {
+            anyhow::bail!("DangerFullAccess and ExternalSandbox are not supported for sandboxing")
        }
        let caps = load_or_create_cap_sids(codex_home)?;
        let (h_token, psid_to_use): (HANDLE, *mut c_void) = unsafe {
@@ -208,7 +211,9 @@ mod windows_impl {
                    let psid = convert_string_sid_to_sid(&caps.workspace).unwrap();
                    super::token::create_workspace_write_token_with_cap(psid)?
                }
-                SandboxPolicy::DangerFullAccess => unreachable!("DangerFullAccess handled above"),
+                SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. } => {
+                    unreachable!("DangerFullAccess handled above")
+                }
            }
        };

--- a/codex-rs/windows-sandbox-rs/src/policy.rs
+++ b/codex-rs/windows-sandbox-rs/src/policy.rs
@@ -5,13 +5,53 @@ pub fn parse_policy(value: &str) -> Result<SandboxPolicy> {
    match value {
        "read-only" => Ok(SandboxPolicy::ReadOnly),
        "workspace-write" => Ok(SandboxPolicy::new_workspace_write_policy()),
-        "danger-full-access" => anyhow::bail!("DangerFullAccess is not supported for sandboxing"),
+        "danger-full-access" | "external-sandbox" => anyhow::bail!(
+            "DangerFullAccess and ExternalSandbox are not supported for sandboxing"
+        ),
        other => {
            let parsed: SandboxPolicy = serde_json::from_str(other)?;
-            if matches!(parsed, SandboxPolicy::DangerFullAccess) {
-                anyhow::bail!("DangerFullAccess is not supported for sandboxing");
+            if matches!(
+                parsed,
+                SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
+            ) {
+                anyhow::bail!(
+                    "DangerFullAccess and ExternalSandbox are not supported for sandboxing"
+                );
            }
            Ok(parsed)
        }
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn rejects_external_sandbox_preset() {
+        let err = parse_policy("external-sandbox").unwrap_err();
+        assert!(err
+            .to_string()
+            .contains("DangerFullAccess and ExternalSandbox are not supported"));
+    }
+
+    #[test]
+    fn rejects_external_sandbox_json() {
+        let payload = serde_json::to_string(
+            &codex_protocol::protocol::SandboxPolicy::ExternalSandbox {
+                network_access: codex_protocol::protocol::NetworkAccess::Enabled,
+            },
+        )
+        .unwrap();
+        let err = parse_policy(&payload).unwrap_err();
+        assert!(err
+            .to_string()
+            .contains("DangerFullAccess and ExternalSandbox are not supported"));
+    }
+
+    #[test]
+    fn parses_read_only_policy() {
+        assert_eq!(parse_policy("read-only").unwrap(), SandboxPolicy::ReadOnly);
+    }
+}
--- a/codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
+++ b/codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
@@ -52,7 +52,10 @@ pub fn run_setup_refresh(
    codex_home: &Path,
 ) -> Result<()> {
    // Skip in danger-full-access.
-    if matches!(policy, SandboxPolicy::DangerFullAccess) {
+    if matches!(
+        policy,
+        SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
+    ) {
        return Ok(());
    }
    let (read_roots, write_roots) = build_payload_roots(