-
Notifications
You must be signed in to change notification settings - Fork 3.4k
Make “Full Access” reflect the effective worker sandbox and external write roots #4412
Copy link
Copy link
Open
Labels
bugSomething isn't workingSomething isn't workingdocumentationImprovements or additions to documentationImprovements or additions to documentationreliabilityReliability, flaky behavior, retries, fallbacks, and robustnessReliability, flaky behavior, retries, fallbacks, and robustnesssandboxSandbox, container, or OS-level isolation behaviorSandbox, container, or OS-level isolation behaviortuiTerminal UI behavior, rendering, or interactionTerminal UI behavior, rendering, or interactionuxUser experience, interaction, or presentation polishUser experience, interaction, or presentation polishv0.9.1Targeting v0.9.1Targeting v0.9.1
Milestone
Description
Metadata
Metadata
Assignees
Labels
bugSomething isn't workingSomething isn't workingdocumentationImprovements or additions to documentationImprovements or additions to documentationreliabilityReliability, flaky behavior, retries, fallbacks, and robustnessReliability, flaky behavior, retries, fallbacks, and robustnesssandboxSandbox, container, or OS-level isolation behaviorSandbox, container, or OS-level isolation behaviortuiTerminal UI behavior, rendering, or interactionTerminal UI behavior, rendering, or interactionuxUser experience, interaction, or presentation polishUser experience, interaction, or presentation polishv0.9.1Targeting v0.9.1Targeting v0.9.1
Projects
StatusShow more project fields
Backlog
Summary
The UI can display
Full Accesswhile a delegated worker is still unable to write outside the workspace root, including user-owned CodeWhale paths such as~/.codex/tmpand~/.codex/pets. It can also have no shell-execution tool available.That may be an intentional host/executor safety boundary, but it is not communicated accurately by the Full Access label.
Observed in v0.9.0
A task in
/Users/hunter/petsran under a visible Full Access posture, then received permission errors when its documented export/install pipeline attempted to write to user-owned~/.codex/locations. The model had to discover the restriction by failed writes and could not complete the install step.Expected
Full Access · workspace-bound workerand show the permitted roots.Acceptance criteria