feat: introduce ExternalSandbox policy (#8290)

## Description Introduced `ExternalSandbox` policy to cover use case when sandbox defined by outside environment, effectively it translates to `SandboxMode#DangerFullAccess` for file system (since sandbox configured on container level) and configurable `network_access` (either Restricted or Enabled by outside environment). as example you can configure `ExternalSandbox` policy as part of `sendUserTurn` v1 app_server API: ``` { "conversationId": <id>, "cwd": <cwd>, "approvalPolicy": "never", "sandboxPolicy": { "type": ""external-sandbox", "network_access": "enabled"/"restricted" }, "model": <model>, "effort": <effort>, .... } ```
2026-05-02 20:32:04 +03:00 · 2025-12-18 17:02:03 -08:00
parent 3d4ced3ff5
commit 3429de21b3
26 changed files with 435 additions and 39 deletions
--- a/codex-rs/windows-sandbox-rs/src/policy.rs
+++ b/codex-rs/windows-sandbox-rs/src/policy.rs
@@ -5,13 +5,53 @@ pub fn parse_policy(value: &str) -> Result<SandboxPolicy> {
    match value {
        "read-only" => Ok(SandboxPolicy::ReadOnly),
        "workspace-write" => Ok(SandboxPolicy::new_workspace_write_policy()),
-        "danger-full-access" => anyhow::bail!("DangerFullAccess is not supported for sandboxing"),
+        "danger-full-access" | "external-sandbox" => anyhow::bail!(
+            "DangerFullAccess and ExternalSandbox are not supported for sandboxing"
+        ),
        other => {
            let parsed: SandboxPolicy = serde_json::from_str(other)?;
-            if matches!(parsed, SandboxPolicy::DangerFullAccess) {
-                anyhow::bail!("DangerFullAccess is not supported for sandboxing");
+            if matches!(
+                parsed,
+                SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
+            ) {
+                anyhow::bail!(
+                    "DangerFullAccess and ExternalSandbox are not supported for sandboxing"
+                );
            }
            Ok(parsed)
        }
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn rejects_external_sandbox_preset() {
+        let err = parse_policy("external-sandbox").unwrap_err();
+        assert!(err
+            .to_string()
+            .contains("DangerFullAccess and ExternalSandbox are not supported"));
+    }
+
+    #[test]
+    fn rejects_external_sandbox_json() {
+        let payload = serde_json::to_string(
+            &codex_protocol::protocol::SandboxPolicy::ExternalSandbox {
+                network_access: codex_protocol::protocol::NetworkAccess::Enabled,
+            },
+        )
+        .unwrap();
+        let err = parse_policy(&payload).unwrap_err();
+        assert!(err
+            .to_string()
+            .contains("DangerFullAccess and ExternalSandbox are not supported"));
+    }
+
+    #[test]
+    fn parses_read_only_policy() {
+        assert_eq!(parse_policy("read-only").unwrap(), SandboxPolicy::ReadOnly);
+    }
+}