[codex] allow disabling prompt instruction blocks (#16735)

This PR adds root and profile config switches to omit the generated `<permissions instructions>` and `<apps_instructions>` prompt blocks while keeping both enabled by default, and it gates both the initial developer-context injection and later permissions diff injection so turning the permissions block off stays effective across turn-context overrides. Also added a prompt debug tool that can be used as `codex debug prompt-input "hello"` and dumps the constructed items list.
2026-05-04 13:21:54 +03:00 · 2026-04-03 13:47:56 -10:00
parent f263607c60
commit 8d19646861
11 changed files with 531 additions and 120 deletions
--- a/codex-rs/core/src/config/mod.rs
+++ b/codex-rs/core/src/config/mod.rs
@@ -280,6 +280,12 @@ pub struct Config {
    /// Guardian-specific developer instructions override from requirements.toml.
    pub guardian_developer_instructions: Option<String>,

+    /// Whether to inject the `<permissions instructions>` developer block.
+    pub include_permissions_instructions: bool,
+
+    /// Whether to inject the `<apps_instructions>` developer block.
+    pub include_apps_instructions: bool,
+
    /// Compact prompt override.
    pub compact_prompt: Option<String>,

@@ -1183,6 +1189,12 @@ pub struct ConfigToml {
    #[serde(default)]
    pub developer_instructions: Option<String>,

+    /// Whether to inject the `<permissions instructions>` developer block.
+    pub include_permissions_instructions: Option<bool>,
+
+    /// Whether to inject the `<apps_instructions>` developer block.
+    pub include_apps_instructions: Option<bool>,
+
    /// Optional path to a file containing model instructions that will override
    /// the built-in instructions for the selected model. Users are STRONGLY
    /// DISCOURAGED from using this field, as deviating from the instructions
@@ -2452,6 +2464,14 @@ impl Config {
            Self::try_read_non_empty_file(model_instructions_path, "model instructions file")?;
        let base_instructions = base_instructions.or(file_base_instructions);
        let developer_instructions = developer_instructions.or(cfg.developer_instructions);
+        let include_permissions_instructions = config_profile
+            .include_permissions_instructions
+            .or(cfg.include_permissions_instructions)
+            .unwrap_or(true);
+        let include_apps_instructions = config_profile
+            .include_apps_instructions
+            .or(cfg.include_apps_instructions)
+            .unwrap_or(true);
        let guardian_developer_instructions = guardian_developer_instructions_from_requirements(
            config_layer_stack.requirements_toml(),
        );
@@ -2618,6 +2638,8 @@ impl Config {
            developer_instructions,
            compact_prompt,
            commit_attribution,
+            include_permissions_instructions,
+            include_apps_instructions,
            // The config.toml omits "_mode" because it's a config file. However, "_mode"
            // is important in code to differentiate the mode from the store implementation.
            cli_auth_credentials_store_mode: cfg.cli_auth_credentials_store.unwrap_or_default(),